Description
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.
Published: 2026-03-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure – Customer Enumeration
Action: Apply Patch
AI Analysis

Impact

Shopware’s Store API login endpoint (POST /store-api/account/login) returns distinct error codes that reveal whether an entered email address belongs to a registered customer; additionally, the "CHECKOUT__CUSTOMER_NOT_FOUND" response echoes the probed email address. This flaw allows an unauthenticated attacker to enumerate valid customer accounts, exposing customer data and potentially facilitating targeted attacks. The vulnerability is a classic example of CWE‑204 (Information Exposure – Sensitive Data Leakage).

Affected Systems

The flaw affects Shopware core and platform products, specifically any installations running versions earlier than 6.7.8.1 or 6.6.10.15. These affected products are listed under the CNA vendors/shopware:core and shopware:platform, with the CPES string cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:* covering the product family.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests low current exploit probability; the vulnerability is not cataloged in CISA’s KEV. Exploitation requires no authentication, and an attacker can simply send repeated login attempts to the Store API endpoint, gleaning valid email addresses from the differing error codes. Given the ease of use—simple HTTP requests—and the low resources required, the risk to affected systems is tangible if the platform handles sensitive customer data. Prompt patching mitigates this exposure.

Generated by OpenCVE AI on March 16, 2026 at 23:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Shopware to version 6.7.8.1 or later on affected installations.
  • Upgrade Shopware to version 6.6.10.15 or later on affected installations.

Generated by OpenCVE AI on March 16, 2026 at 23:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gqc5-xv7m-gcjq Shopware has user enumeration via distinct error codes on Store API login endpoint
History

Mon, 16 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Shopware
Shopware platform
Shopware shopware
Vendors & Products Shopware
Shopware platform
Shopware shopware

Wed, 11 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.
Title Shopware has user enumeration via distinct error codes on Store API login endpoint
Weaknesses CWE-204
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Shopware Platform Shopware
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:02:47.581Z

Reserved: 2026-03-09T21:59:02.687Z

Link: CVE-2026-31888

cve-icon Vulnrichment

Updated: 2026-03-12T20:02:44.325Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T19:16:05.113

Modified: 2026-03-16T20:37:21.750

Link: CVE-2026-31888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:29Z

Weaknesses