Description
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the Store API endpoint /store-api/handle-payment in src/Core/Checkout/Payment/SalesChannel/HandlePaymentMethodRoute.php accepts a user-controlled orderId and forwards it to src/Core/Checkout/Payment/PaymentProcessor.php without verifying order ownership or guest-order authentication, allowing a normal customer or guest context to trigger the payment flow for another user's order while /store-api/order enforces the expected ownership model. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-9v5m-39wh-5chq | Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment |
References
History
Fri, 17 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Shopware
Shopware platform Shopware shopware |
|
| Vendors & Products |
Shopware
Shopware platform Shopware shopware |
Fri, 17 Jul 2026 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the Store API endpoint /store-api/handle-payment in src/Core/Checkout/Payment/SalesChannel/HandlePaymentMethodRoute.php accepts a user-controlled orderId and forwards it to src/Core/Checkout/Payment/PaymentProcessor.php without verifying order ownership or guest-order authentication, allowing a normal customer or guest context to trigger the payment flow for another user's order while /store-api/order enforces the expected ownership model. This issue is fixed in versions 6.6.10.18 and 6.7.10.1. | |
| Title | Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment | |
| Weaknesses | CWE-639 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T17:54:21.990Z
Reserved: 2026-05-20T17:44:09.586Z
Link: CVE-2026-48016
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T19:45:04Z
Weaknesses
-
CWE-639
Authorization Bypass Through User-Controlled Key
Github GHSA