Description
Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15.
Published: 2026-03-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in the Shopware Commercial platform where the /api/_info/config endpoint discloses licensing information, allowing an attacker to read sensitive license data. The primary impact is a confidentiality breach of licensing credentials, which could be leveraged to assess the system's licensing status or potentially expose proprietary activation secrets. The weakness is classified as CWE-200, Information Exposure.

Affected Systems

Shopware Commercial installations running a version earlier than 7.8.1 for branch 7 or earlier than 6.10.15 for branch 6 are affected. The CVE notes that the issue is fixed in 7.8.1 and 6.10.15; any version not matching those releases should be considered vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is below 1%, signifying a low likelihood of active exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw remotely by accessing the publicly reachable /api/_info/config endpoint, likely without authentication, but the exact prerequisites are not detailed in the description. Since the API endpoint returns licensing data regardless of user context, an unauthenticated request can succeed, making the attack straightforward once the target system is identified.

Generated by OpenCVE AI on March 18, 2026 at 14:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Shopware Commercial to at least version 7.8.1 or 6.10.15, the first releases that remove the exposure.

Generated by OpenCVE AI on March 18, 2026 at 14:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Shopware
Shopware commercial
Vendors & Products Shopware
Shopware commercial

Thu, 12 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15.
Title shopware/commercial: `/api/_info/config` route exposes information about licenses
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Shopware Commercial
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T16:18:35.366Z

Reserved: 2026-03-10T22:19:36.547Z

Link: CVE-2026-32142

cve-icon Vulnrichment

Updated: 2026-03-13T16:18:29.864Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T19:16:16.640

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-32142

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:48:34Z

Weaknesses