CVE-2026-48009 in Shopwareinfo

Summary

by MITRE • 07/17/2026

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with user_recovery:read ACL can take over any admin account by triggering POST /api/_action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PATCH /api/_action/user/user-recovery/password; the root cause is that src/Core/System/User/Recovery/UserRecoveryDefinition.php exposes the hash field through the Admin API without ApiAware(false) or ReadProtection. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

Shopware represents a widely adopted open commerce platform that serves as the foundation for numerous e-commerce operations worldwide. The vulnerability identified affects versions prior to 6.6.10.18 and 6.7.10.1, creating a significant security risk through improper access control mechanisms within the user recovery functionality. This flaw enables low-privilege administrative users to escalate their privileges and gain unauthorized access to any admin account within the system.

The technical implementation of this vulnerability stems from a design oversight in the UserRecoveryDefinition.php file located in the Core/System/User/Recovery directory. The root cause involves the exposure of sensitive password recovery hash fields through the Admin API interface without proper security protections. Specifically, the hash field lacks the ApiAware(false) annotation and ReadProtection mechanisms that would normally prevent unauthorized access to critical system data. This configuration allows malicious actors with minimal privileges to exploit the recovery process by leveraging legitimate API endpoints.

The attack vector follows a systematic three-step process that demonstrates the severity of this vulnerability. First, an attacker with user_recovery:read ACL permissions triggers the POST /api/_action/user/user-recovery endpoint to initiate a password recovery request for any target admin account. Second, they utilize the POST /api/search/user-recovery endpoint to retrieve the generated recovery hash, bypassing normal access controls that should protect this sensitive information. Finally, they execute a PATCH /api/_action/user/user-recovery/password operation to reset the target account's password using the obtained hash, effectively gaining full administrative control over any user account within the system.

This vulnerability directly corresponds to CWE-284, which describes improper access control in software systems where insufficient protections allow unauthorized users to access resources they should not be able to reach. The flaw also aligns with ATT&CK technique T1078.004, which covers valid accounts used for privilege escalation through legitimate administrative processes. The impact extends beyond simple privilege escalation as it undermines the fundamental security model of the platform, potentially allowing attackers to access sensitive customer data, modify product catalogs, manipulate transactions, and compromise the entire e-commerce infrastructure.

Organizations utilizing Shopware versions affected by this vulnerability face significant operational risks including potential data breaches, unauthorized financial transactions, and complete system compromise. The low privilege requirements make this attack particularly dangerous as it can be executed by users who should normally only have limited recovery access. System administrators must immediately implement mitigations including upgrading to the patched versions 6.6.10.18 or 6.7.10.1, reviewing and tightening ACL permissions for user recovery functions, and implementing additional monitoring around recovery-related API endpoints. The vulnerability also highlights the importance of proper API security implementation and adherence to security best practices in open source platforms where multiple users may have varying levels of access rights.

Responsible

GitHub M

Reservation

05/20/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!