{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31888", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T21:59:02.687Z", "datePublished": "2026-03-11T18:53:03.018Z", "dateUpdated": "2026-03-12T20:02:47.581Z"}, "containers": {"cna": {"title": "Shopware has user enumeration via distinct error codes on Store API login endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-204", "lang": "en", "description": "CWE-204: Observable Response Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq"}], "affected": [{"vendor": "shopware", "product": "core", "versions": [{"version": ">= 6.7.0.0, < 6.7.8.1", "status": "affected"}, {"version": "< 6.6.10.15", "status": "affected"}]}, {"vendor": "shopware", "product": "platform", "versions": [{"version": ">= 6.7.0.0, < 6.7.8.1", "status": "affected"}, {"version": "< 6.6.10.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:53:03.018Z"}, "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The \"not found\" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not \u2014 indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15."}], "source": {"advisory": "GHSA-gqc5-xv7m-gcjq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T20:02:39.331863Z", "id": "CVE-2026-31888", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:02:47.581Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31888", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T20:02:39.331863Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:02:44.325Z"}}], "cna": {"title": "Shopware has user enumeration via distinct error codes on Store API login endpoint", "source": {"advisory": "GHSA-gqc5-xv7m-gcjq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "shopware", "product": "core", "versions": [{"status": "affected", "version": ">= 6.7.0.0, < 6.7.8.1"}, {"status": "affected", "version": "< 6.6.10.15"}]}, {"vendor": "shopware", "product": "platform", "versions": [{"status": "affected", "version": ">= 6.7.0.0, < 6.7.8.1"}, {"status": "affected", "version": "< 6.6.10.14"}]}], "references": [{"url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq", "name": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The \"not found\" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not \u2014 indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204: Observable Response Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:53:03.018Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31888", "state": "PUBLISHED", "dateUpdated": "2026-03-12T20:02:47.581Z", "dateReserved": "2026-03-09T21:59:02.687Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T18:53:03.018Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5486B22-79CE-4581-BD61-4CF0E3BFB843", "versionEndExcluding": "6.6.10.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A198E1E6-E6EE-4D98-BF25-E2A5055E8DC8", "versionEndExcluding": "6.7.8.1", "versionStartIncluding": "6.7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The \"not found\" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not \u2014 indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15."}, {"lang": "es", "value": "Shopware es una plataforma de comercio abierta. Antes de las versiones 6.7.8.1 y 6.6.10.15, el endpoint de inicio de sesi\u00f3n de la Store API (POST /store-api/account/login) devuelve diferentes c\u00f3digos de error dependiendo de si la direcci\u00f3n de correo electr\u00f3nico enviada pertenece a un cliente registrado (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) o es desconocida (CHECKOUT__CUSTOMER_NOT_FOUND). La respuesta de 'no encontrado' tambi\u00e9n hace eco de la direcci\u00f3n de correo electr\u00f3nico probada. Esto permite a un atacante no autenticado enumerar cuentas de clientes v\u00e1lidas. El controlador de inicio de sesi\u00f3n del storefront unifica correctamente ambas rutas de error, pero la Store API no lo hace \u2014 lo que indica una defensa inconsistente. Esta vulnerabilidad est\u00e1 corregida en las versiones 6.7.8.1 y 6.6.10.15."}], "id": "CVE-2026-31888", "lastModified": "2026-03-16T20:37:21.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T19:16:05.113", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.7.0.0,6.7.8.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.6.10.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "platform", "source": "cna", "vendor": "shopware"}, "product": "platform", "vendor": "shopware"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.7.0.0,6.7.8.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.6.10.15)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "matching", "scores": [{"score": 80.0, "source": "matching"}]}, "original": {"product": "core", "source": "cna", "vendor": "shopware"}, "product": "shopware", "vendor": "shopware"}], "analysis": {"en": {"generated_at": "2026-03-16T23:46:05.797431+00:00", "value": {"mitigation_remediation": ["Upgrade Shopware to version 6.7.8.1 or later on affected installations.", "Upgrade Shopware to version 6.6.10.15 or later on affected installations."], "summary": {"action": "Apply Patch", "impact": "Information Exposure \u2013 Customer Enumeration"}, "threat_synthesis": {"affected_systems": "The flaw affects Shopware core and platform products, specifically any installations running versions earlier than 6.7.8.1 or 6.6.10.15. These affected products are listed under the CNA vendors/shopware:core and shopware:platform, with the CPES string cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:* covering the product family.", "description_and_impact": "Shopware\u2019s Store API login endpoint (POST /store-api/account/login) returns distinct error codes that reveal whether an entered email address belongs to a registered customer; additionally, the \"CHECKOUT__CUSTOMER_NOT_FOUND\" response echoes the probed email address. This flaw allows an unauthenticated attacker to enumerate valid customer accounts, exposing customer data and potentially facilitating targeted attacks. The vulnerability is a classic example of CWE\u2011204 (Information Exposure \u2013 Sensitive Data Leakage).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests low current exploit probability; the vulnerability is not cataloged in CISA\u2019s KEV. Exploitation requires no authentication, and an attacker can simply send repeated login attempts to the Store API endpoint, gleaning valid email addresses from the differing error codes. Given the ease of use\u2014simple HTTP requests\u2014and the low resources required, the risk to affected systems is tangible if the platform handles sensitive customer data. Prompt patching mitigates this exposure."}}}}, "created": "2026-03-12T09:56:54.279195+00:00", "updated": "2026-03-20T15:29:29.355596+00:00", "vendors": ["shopware", "shopware$PRODUCT$platform", "shopware$PRODUCT$shopware"]}