{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31887", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T21:59:02.687Z", "datePublished": "2026-03-11T18:49:46.294Z", "dateUpdated": "2026-03-12T20:02:14.866Z"}, "containers": {"cna": {"title": "Shopware unauthenticated data extraction possible through store-api.order endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584"}], "affected": [{"vendor": "shopware", "product": "core", "versions": [{"version": ">= 6.7.0.0, < 6.7.8.1", "status": "affected"}, {"version": "< 6.6.10.15", "status": "affected"}]}, {"vendor": "shopware", "product": "platform", "versions": [{"version": ">= 6.7.0.0, < 6.7.8.1", "status": "affected"}, {"version": "< 6.6.10.15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:49:46.294Z"}, "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15."}], "source": {"advisory": "GHSA-7vvp-j573-5584", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T20:02:07.674304Z", "id": "CVE-2026-31887", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:02:14.866Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31887", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T20:02:07.674304Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:02:11.688Z"}}], "cna": {"title": "Shopware unauthenticated data extraction possible through store-api.order endpoint", "source": {"advisory": "GHSA-7vvp-j573-5584", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "shopware", "product": "core", "versions": [{"status": "affected", "version": ">= 6.7.0.0, < 6.7.8.1"}, {"status": "affected", "version": "< 6.6.10.15"}]}, {"vendor": "shopware", "product": "platform", "versions": [{"status": "affected", "version": ">= 6.7.0.0, < 6.7.8.1"}, {"status": "affected", "version": "< 6.6.10.15"}]}], "references": [{"url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584", "name": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:49:46.294Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31887", "state": "PUBLISHED", "dateUpdated": "2026-03-12T20:02:14.866Z", "dateReserved": "2026-03-09T21:59:02.687Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T18:49:46.294Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5486B22-79CE-4581-BD61-4CF0E3BFB843", "versionEndExcluding": "6.6.10.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A198E1E6-E6EE-4D98-BF25-E2A5055E8DC8", "versionEndExcluding": "6.7.8.1", "versionStartIncluding": "6.7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15."}, {"lang": "es", "value": "Shopware es una plataforma de comercio abierta. Antes de las versiones 6.7.8.1 y 6.6.10.15, una verificaci\u00f3n insuficiente de los tipos de filtro para clientes no autenticados permite el acceso a pedidos de otros clientes. Esto forma parte del soporte de deepLinkCode en el endpoint store-API.order. Esta vulnerabilidad se ha corregido en las versiones 6.7.8.1 y 6.6.10.15."}], "id": "CVE-2026-31887", "lastModified": "2026-03-16T20:39:53.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T19:16:04.950", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.7.0.0,6.7.8.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.6.10.15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "platform", "source": "cna", "vendor": "shopware"}, "product": "platform", "vendor": "shopware"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.7.0.0,6.7.8.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.6.10.15)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "matching", "scores": [{"score": 80.0, "source": "matching"}]}, "original": {"product": "core", "source": "cna", "vendor": "shopware"}, "product": "shopware", "vendor": "shopware"}], "analysis": {"en": {"generated_at": "2026-03-16T23:12:29.122688+00:00", "value": {"mitigation_remediation": ["Apply vendor patch to Shopware version 6.7.8.1 or later, or to 6.6.10.15 or later.", "If upgrading is not feasible, block unauthenticated requests to the store-api.order endpoint using network or application\u2011level restrictions.", "Temporarily restrict access to the store-api.order endpoint by requiring authentication or limiting user roles.", "Monitor logs for abnormal activity that might indicate exploitation of the data extraction issue."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Relevant Shopware products affected are the core and platform components. Versions released prior to 6.7.8.1 and 6.6.10.15 are susceptible. No further version granularity is provided in the CVE data. Vendors have confirmed that upgrading to 6.7.8.1 or later, or to 6.6.10.15 or later, removes the vulnerability.", "description_and_impact": "Shopware, an open commerce platform, contains a flaw in the deepLinkCode handling of the store-api.order endpoint. The system performs an insufficient check on filter types for unauthenticated users, allowing them to retrieve order data belonging to other customers. This vulnerability can lead to unauthorized disclosure of order details, impacting confidentiality and potentially exposing sensitive customer information. The weakness is identified as CWE-863 (Improper Authorization).", "risk_and_exploitability": "The CVSS v3 score of 8.9 classifies this issue as High severity. The EPSS score is reported as less than 1%, indicating a low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit it remotely by sending unauthenticated requests to the store\u2011api.order endpoint; no special privileges or additional credentials are required."}}}}, "created": "2026-03-12T09:56:56.202416+00:00", "updated": "2026-03-20T15:29:31.233523+00:00", "vendors": ["shopware", "shopware$PRODUCT$platform", "shopware$PRODUCT$shopware"]}