CVE-2026-31889: Shopware App Registration Flow Credential Takeover
Vulnerability ID: CVE-2026-31889
CVSS Score: 8.9
Published: 2026-03-11
CVE-2026-31889 is a critical vulnerability within the Shopware open commerce platform's app registration flow. The flaw exists in the legacy HMAC-based handshake mechanism used for app re-registration. It permits an unauthenticated attacker to spoof registration requests and hijack communication channels, leading to the unauthorized interception of API credentials and integration tokens.
TL;DR
Shopware versions prior to 6.6.10.15 and 6.7.8.1 fail to require a proof-of-possession signature during app re-registration. Attackers possessing a shared App Secret can modify a shop's URL routing metadata to intercept API tokens and webhooks.
Technical Details
- CWE ID: CWE-290
- Attack Vector: Network
- CVSS Score: 8.9
- Impact: Credential Takeover, Communication Hijacking
- Exploit Status: Unexploited
- KEV Status: Not Listed
Affected Systems
- Shopware Core
- Shopware Platform
-
shopware/core: < 6.6.10.15 (Fixed in:
6.6.10.15) -
shopware/core: >= 6.7.0.0, < 6.7.8.1 (Fixed in:
6.7.8.1)
Code Analysis
Commit: f7ee8cb
Initial development of secret rotation functionality.
Commit: 2cf6a1f
Implementation of old secret persistence for re-installations.
Mitigation Strategies
- Upgrade Shopware core and platform packages
- Implement secret rotation for installed apps
- Validate shopware-shop-signature header in app backends
Remediation Steps:
- Update shopware/core and shopware/platform to version 6.6.10.15 or 6.7.8.1.
- Trigger a secret rotation for all installed apps using the endpoint POST /api/_action/app-system/secret/rotate.
- Ensure all custom app backend implementations are updated to support dual signature validation.
References
Read the full report for CVE-2026-31889 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)