Description
Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.
Published: 2026-03-11
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: API Credential Theft
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the Shopware app registration flow. The legacy flow uses HMAC‑based authentication but fails to tie a shop installation to its original domain. When an app is re‑registered, the shop‑URL can be changed without proving control over the previous domain. This allows an attacker who knows the app‑side secret to hijack the communication channel, redirect traffic to a domain controlled by the attacker, and potentially capture API credentials intended for the legitimate shop. The weakness corresponds to CWE‑290 (Authorization Bypass Through Privileged Credentials). The primary impact is the theft of API credentials, which can lead to further compromise or unauthorized control over the shop.

Affected Systems

Affected products are Shopware core and Shopware platform. Versions prior to 6.6.10.15 and 6.7.8.1 are vulnerable.

Risk and Exploitability

The CVSS score is 8.9 (High). EPSS score is less than 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires the attacker to possess the app’s secret and to trigger the re‑registration process, which limits the attack surface. Nevertheless, the high severity and potential for credential theft justify immediate patching.

Generated by OpenCVE AI on March 16, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Shopware to version 6.6.10.15 or newer, or 6.7.8.1 or newer.

Generated by OpenCVE AI on March 16, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c4p7-rwrg-pf6p Shopware vulnerable to a potential take over of app credentials
History

Mon, 16 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Shopware
Shopware platform
Shopware shopware
Vendors & Products Shopware
Shopware platform
Shopware shopware

Wed, 11 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.
Title Shopware has a potential take over of app credentials
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 8.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Shopware Platform Shopware
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:04:11.623Z

Reserved: 2026-03-09T21:59:02.687Z

Link: CVE-2026-31889

cve-icon Vulnrichment

Updated: 2026-03-12T20:04:07.189Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:15.287

Modified: 2026-03-16T20:18:18.410

Link: CVE-2026-31889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:27Z

Weaknesses