CVE-2026-48010 in Shopwareinfo

Summary

by MITRE • 07/17/2026

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser() in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEM_SCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission can set admin: true on new or existing users; IntegrationController::upsertIntegration() contains an isAdmin() check for the same field, but UserController was missing this check. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability described affects Shopware commerce platforms prior to versions 6.6.10.18 and 6.7.10.1, specifically within the user management functionality of the system. This represents a critical privilege escalation flaw that allows unauthorized users to gain administrative privileges through API interactions. The core issue exists in the UserController::upsertUser() method located in src/Core/Framework/Api/Controller/UserController.php where raw user data is processed without proper validation of the admin field. This oversight enables non-administrative API users who possess basic user creation or update permissions to manipulate the administrative status of users by setting the admin field to true, effectively bypassing normal access control mechanisms.

The technical flaw stems from an inconsistent security implementation between two similar controller methods within the same platform. While IntegrationController::upsertIntegration() properly implements an isAdmin() check to validate administrative privileges before allowing modification of the admin field, the UserController lacks this crucial validation step. This discrepancy creates a security gap where the system accepts potentially malicious input without verifying that the requesting user has adequate authorization to make such changes. The vulnerability operates at the application layer and specifically targets the platform's access control model by exploiting a missing validation check in the user management API endpoint.

The operational impact of this vulnerability is significant as it allows attackers with minimal privileges to escalate their access level within the system. An attacker who gains access to an API account with user:create or user:update ACL permissions can immediately elevate their privileges to administrative status, potentially gaining access to sensitive system configurations, customer data, financial information, and other restricted functionalities. This represents a severe compromise of the principle of least privilege that should normally prevent non-administrative users from modifying core system parameters. The vulnerability affects both new user creation and existing user modification scenarios, providing multiple attack vectors for exploitation.

This vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic case of insufficient input validation where administrative privileges are improperly granted through API parameter manipulation. From an ATT&CK framework perspective, this maps to privilege escalation techniques within the execution phase, specifically targeting T1068 (Local Privilege Escalation) and T1548.001 (Abuse Elevation Control Mechanism). The flaw demonstrates poor security by design principles where access control checks are not consistently applied across similar functionality within the same codebase. Organizations should implement immediate mitigations including restricting API permissions, monitoring for unauthorized privilege changes, and applying the patched versions 6.6.10.18 or 6.7.10.1 to prevent exploitation of this critical vulnerability that undermines fundamental security boundaries within the Shopware platform infrastructure.

Responsible

GitHub M

Reservation

05/20/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!