CVE-2026-48014 in Shopwareinfo

Summary

by MITRE • 07/17/2026

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/_action/order/{orderId}/state/{transition} and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare PlatformRequest::ATTRIBUTE_ACL or perform an explicit privilege check, so AclAnnotationValidator exits when route ACL metadata is absent and low-privileged users without order:update, order_transaction:update, or order_delivery:update can trigger StateMachineRegistry::transition() writes in SYSTEM_SCOPE. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability described affects Shopware commerce platforms prior to versions 6.6.10.18 and 6.7.10.1, specifically targeting the order state transition functionality within the Core/Checkout/Order/Api/OrderActionController.php component. This represents a critical access control flaw that undermines the platform's authorization mechanisms and allows unauthorized privilege escalation through improper validation of user permissions.

The technical flaw stems from the absence of proper access control declarations in the API endpoints responsible for order state transitions including /api/_action/order/{orderId}/state/{transition} and related transaction and delivery transition routes. The system fails to declare PlatformRequest::ATTRIBUTE_ACL or perform explicit privilege checks, creating a scenario where the AclAnnotationValidator exits prematurely when route ACL metadata is missing. This absence of validation creates an exploitable condition where users with minimal privileges can trigger state transitions that should require higher authorization levels.

The operational impact of this vulnerability is significant as it enables low-privileged users to manipulate order states, order transactions, and delivery statuses through the StateMachineRegistry::transition() method operating in SYSTEM_SCOPE. This allows attackers to potentially alter order processing workflows, modify payment statuses, change delivery information, and disrupt normal business operations without proper authorization. The vulnerability effectively bypasses the platform's built-in access control lists and privilege management systems.

This issue maps directly to CWE-284 (Improper Access Control) and aligns with ATT&CK techniques related to privilege escalation and unauthorized access. The vulnerability demonstrates a failure in the principle of least privilege implementation, where the system assumes that API endpoints without explicit ACL declarations are accessible to all authenticated users rather than enforcing proper authorization checks. The fix implemented in versions 6.6.10.18 and 6.7.10.1 addresses this by properly declaring access control attributes and implementing explicit privilege validation before allowing state transition operations to proceed.

Organizations using affected Shopware versions should immediately implement mitigations including updating to the patched versions, reviewing existing user permissions and roles, and monitoring for unauthorized state transitions in order processing workflows. Additional defensive measures may include implementing network-level restrictions on administrative API endpoints and conducting comprehensive access control audits to ensure proper privilege assignment across all user accounts.

Responsible

GitHub M

Reservation

05/20/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!