Description
FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1.
Published: 2026-02-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Immediate Patch
AI Analysis

Impact

FroshAdminer, a Shopware Platform plugin, allowed unauthenticated users to reach its Adminer interface at /admin/adminer. The plugin was configured with auth_required set to false and performed no session validation, thus exposing the database management UI. An attacker who gains access to the UI could view database credentials, execute arbitrary queries against the shop's database, and potentially modify or delete data, resulting in a breach of confidentiality and integrity.

Affected Systems

FriendsOfShopware’s FroshPlatformAdminer plugin is affected in all versions prior to 2.2.1. Users running any older version of the plugin are at risk until they upgrade to 2.2.1 or later, where the authentication requirement has been enforced.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.9, indicating medium severity, and an EPSS score of less than 1 %, meaning exploit probability is low. It is not listed in CISA’s KEV catalog. Attackers would most likely exploit the weakness by simply browsing to /admin/adminer via a web browser, as the route is publicly reachable without authentication. The weakness falls under CWE‑306, reflecting missing authentication protection.

Generated by OpenCVE AI on April 18, 2026 at 12:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FroshPlatformAdminer to version 2.2.1 or later to enforce authentication on the Adminer route.
  • Verify that the plugin’s configuration specifies auth_required=true and that the route is protected by Shopware’s admin authentication mechanisms.
  • If an immediate upgrade is not possible, restrict access to /admin/adminer at the web server or firewall level to trusted IPs or apply temporary HTTP authentication to limit exposure.

Generated by OpenCVE AI on April 18, 2026 at 12:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f339-246p-wwjp FroshAdminer Adminer UI is accessible without admin session
History

Sat, 28 Feb 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Friendsofshopware froshadminer
CPEs cpe:2.3:a:friendsofshopware:froshadminer:*:*:*:*:*:*:*:*
Vendors & Products Friendsofshopware froshadminer
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Friendsofshopware
Friendsofshopware froshplatformadminer
Vendors & Products Friendsofshopware
Friendsofshopware froshplatformadminer

Mon, 09 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1.
Title FroshAdminer Adminer UI is accessible without admin session
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Friendsofshopware Froshadminer Froshplatformadminer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T15:58:56.777Z

Reserved: 2026-02-06T21:08:39.128Z

Link: CVE-2026-25878

cve-icon Vulnrichment

Updated: 2026-02-10T15:39:41.321Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T21:15:50.380

Modified: 2026-02-28T00:18:44.953

Link: CVE-2026-25878

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses