Description
A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper authentication. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is 45758e4ec22451ab944ae2ae826b1e70f6450dc9. It is recommended to apply a patch to fix this issue.
Published: 2026-05-02
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the InstallServiceProvider::boot function of innocommerce InnoShop’s Installation Endpoint, where authentication checks are bypassed. As a result, an attacker can remotely gain unauthorized access to the system, potentially executing arbitrary actions. The flaw is categorized as CWE-287 and carries a CVSS score of 6.9, indicating moderate to high severity.

Affected Systems

The flaw affects transactions processed by the innocommerce InnoShop component, specifically versions up to 0.7.8. Users of the "innocommerce:InnoShop" product within that version range are at risk if they have the installation endpoint exposed to untrusted networks.

Risk and Exploitability

The EPSS score is not available, so exploitation probability is uncertain. The vulnerability is not listed in the CISA KEV catalog. Remote exploitation is possible, and the attack vector is likely through direct HTTP requests to the installation endpoint. An attacker who can reach the endpoint can trigger the boot function without authenticating, thereby compromising system integrity and confidentiality. The CVSS score of 6.9 reflects the threat of unauthorized access but does not indicate remote code execution; it largely depends on the actions an attacker can perform post-bypass.

Generated by OpenCVE AI on May 2, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch identified by commit 45758e4ec22451ab944ae2ae826b1e70f6450dc9 or upgrade to the latest InnoShop release (0.7.9 or later).
  • Restrict network exposure of the Installation Endpoint by configuring firewalls or application-level routing to limit access to trusted IP ranges or internal networks.
  • Ensure that authentication mechanisms for all endpoints, particularly installation-related routes, are enabled and validated following the vendor’s security guidelines.

Generated by OpenCVE AI on May 2, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper authentication. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is 45758e4ec22451ab944ae2ae826b1e70f6450dc9. It is recommended to apply a patch to fix this issue.
Title innocommerce InnoShop Installation Endpoint InstallServiceProvider.php boot improper authentication
Weaknesses CWE-287
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-02T13:15:13.485Z

Reserved: 2026-05-01T14:28:41.503Z

Link: CVE-2026-7630

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T14:16:18.160

Modified: 2026-05-02T14:16:18.160

Link: CVE-2026-7630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T14:45:44Z

Weaknesses