Description
Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.
Published: 2026-06-10
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A timing‑based flaw in the Shopware admin panel allows an attacker to deduce administrator usernames by measuring response times. This weakness, classified as CWE‑208, enables credential reconnaissance without needing valid credentials, potentially aiding future credential‑guessing or brute‑force attacks. The impact is a compromise of confidentiality for administrative identities, but there is no immediate elevation of privileges or data disclosure.

Affected Systems

Shopware, versions prior to 6.6.10.18 for the 6.6 branch and prior to 6.7.10.1 for the 6.7 branch, are affected. Users running these releases should verify their install versions and apply the recommended updates.

Risk and Exploitability

The CVSS score of 3.7 indicates low overall severity, and the EPSS score is not available, suggesting no recent exploitation data is available. The vulnerability is not listed in CISA KEV, further indicating that widespread attacks are not known. However, the attack vector is inferred to be remote, from any external host able to access the admin panel, making it potentially exploitable if publicly reachable. Given the low CVSS, exploitation risk is considered low but non‑zero for exposed installations.

Generated by OpenCVE AI on June 10, 2026 at 23:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Shopware to at least 6.6.10.18 or 6.7.10.1 to eliminate the timing leak.
  • Configure the back‑office to require strong authentication and limit exposure to trusted networks or VPN access.
  • Review access logs for repeated timing‑based access attempts and consider implementing rate‑limiting or intrusion detection rules to detect enumeration activity.

Generated by OpenCVE AI on June 10, 2026 at 23:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7w52-7jvm-m9vw Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames
History

Wed, 10 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Shopware
Shopware shopware
Vendors & Products Shopware
Shopware shopware

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.
Title Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames
Weaknesses CWE-208
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Shopware Shopware
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T20:07:02.345Z

Reserved: 2026-05-20T17:44:09.586Z

Link: CVE-2026-48011

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:17:00.850

Modified: 2026-06-10T22:17:00.850

Link: CVE-2026-48011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:15:28Z

Weaknesses