Description
A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper authentication. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is 45758e4ec22451ab944ae2ae826b1e70f6450dc9. It is recommended to apply a patch to fix this issue.
Published: 2026-05-02
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the InstallServiceProvider::boot function of innocommerce InnoShop’s Installation Endpoint, where authentication checks are bypassed. As a result, an attacker can remotely gain unauthorized access to the system, potentially executing arbitrary actions. The flaw is categorized as CWE-287 and carries a CVSS score of 6.9, indicating moderate to high severity.

Affected Systems

The flaw affects transactions processed by the innocommerce InnoShop component, specifically versions up to 0.7.8. Users of the "innocommerce:InnoShop" product within that version range are at risk if they have the installation endpoint exposed to untrusted networks.

Risk and Exploitability

The EPSS score is not available, so exploitation probability is uncertain. The vulnerability is not listed in the CISA KEV catalog. Remote exploitation is possible, and the attack vector is likely through direct HTTP requests to the installation endpoint. An attacker who can reach the endpoint can trigger the boot function without authenticating, thereby compromising system integrity and confidentiality. The CVSS score of 6.9 reflects the threat of unauthorized access but does not indicate remote code execution; it largely depends on the actions an attacker can perform post-bypass.

Generated by OpenCVE AI on May 2, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch identified by commit 45758e4ec22451ab944ae2ae826b1e70f6450dc9 or upgrade to the latest InnoShop release (0.7.9 or later).
  • Restrict network exposure of the Installation Endpoint by configuring firewalls or application-level routing to limit access to trusted IP ranges or internal networks.
  • Ensure that authentication mechanisms for all endpoints, particularly installation-related routes, are enabled and validated following the vendor’s security guidelines.

Generated by OpenCVE AI on May 2, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Innocommerce
Innocommerce innoshop
Vendors & Products Innocommerce
Innocommerce innoshop

Mon, 04 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 02 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper authentication. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is 45758e4ec22451ab944ae2ae826b1e70f6450dc9. It is recommended to apply a patch to fix this issue.
Title innocommerce InnoShop Installation Endpoint InstallServiceProvider.php boot improper authentication
Weaknesses CWE-287
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Innocommerce Innoshop
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T13:12:56.976Z

Reserved: 2026-05-01T14:28:41.503Z

Link: CVE-2026-7630

cve-icon Vulnrichment

Updated: 2026-05-04T13:12:52.703Z

cve-icon NVD

Status : Deferred

Published: 2026-05-02T14:16:18.160

Modified: 2026-05-05T19:15:06.200

Link: CVE-2026-7630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:06:52Z

Weaknesses