CVE-2026-31887

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:shopware:shopware::::::::
	cpe:2.3:a:shopware:shopware::::::::

History

16 Mar 2026, 20:39

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584 -~~	() https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584 - Vendor Advisory
CPE		cpe:2.3:a:shopware:shopware::::::::
Summary		(es) Shopware es una plataforma de comercio abierta. Antes de las versiones 6.7.8.1 y 6.6.10.15, una verificación insuficiente de los tipos de filtro para clientes no autenticados permite el acceso a pedidos de otros clientes. Esto forma parte del soporte de deepLinkCode en el endpoint store-API.order. Esta vulnerabilidad se ha corregido en las versiones 6.7.8.1 y 6.6.10.15.
First Time		Shopware Shopware shopware

11 Mar 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 19:16

Updated : 2026-03-16 20:39

NVD link : CVE-2026-31887

Mitre link : CVE-2026-31887

CVE.ORG link : CVE-2026-31887

JSON object : View

Products Affected

shopware

shopware

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-31887", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-11T19:16:04.950", "references": [{"url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15."}, {"lang": "es", "value": "Shopware es una plataforma de comercio abierta. Antes de las versiones 6.7.8.1 y 6.6.10.15, una verificaci\u00f3n insuficiente de los tipos de filtro para clientes no autenticados permite el acceso a pedidos de otros clientes. Esto forma parte del soporte de deepLinkCode en el endpoint store-API.order. Esta vulnerabilidad se ha corregido en las versiones 6.7.8.1 y 6.6.10.15."}], "lastModified": "2026-03-16T20:39:53.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5486B22-79CE-4581-BD61-4CF0E3BFB843", "versionEndExcluding": "6.6.10.15"}, {"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A198E1E6-E6EE-4D98-BF25-E2A5055E8DC8", "versionEndExcluding": "6.7.8.1", "versionStartIncluding": "6.7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}