{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31889", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T21:59:02.687Z", "datePublished": "2026-03-11T18:56:23.171Z", "dateUpdated": "2026-03-12T20:04:11.623Z"}, "containers": {"cna": {"title": "Shopware has a potential take over of app credentials", "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p"}], "affected": [{"vendor": "shopware", "product": "core", "versions": [{"version": ">= 6.7.0.0, < 6.7.8.1", "status": "affected"}, {"version": "< 6.6.10.15", "status": "affected"}]}, {"vendor": "shopware", "product": "platform", "versions": [{"version": ">= 6.7.0.0, < 6.7.8.1", "status": "affected"}, {"version": "< 6.6.10.15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:56:23.171Z"}, "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC\u2011based authentication without sufficiently binding a shop installation to its original domain. During re\u2011registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app\u2011side secret. By abusing app re\u2011registration, an attacker could redirect app traffic to an attacker\u2011controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1."}], "source": {"advisory": "GHSA-c4p7-rwrg-pf6p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T20:04:03.569165Z", "id": "CVE-2026-31889", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:04:11.623Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31889", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T20:04:03.569165Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:04:07.189Z"}}], "cna": {"title": "Shopware has a potential take over of app credentials", "source": {"advisory": "GHSA-c4p7-rwrg-pf6p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "shopware", "product": "core", "versions": [{"status": "affected", "version": ">= 6.7.0.0, < 6.7.8.1"}, {"status": "affected", "version": "< 6.6.10.15"}]}, {"vendor": "shopware", "product": "platform", "versions": [{"status": "affected", "version": ">= 6.7.0.0, < 6.7.8.1"}, {"status": "affected", "version": "< 6.6.10.15"}]}], "references": [{"url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p", "name": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC\u2011based authentication without sufficiently binding a shop installation to its original domain. During re\u2011registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app\u2011side secret. By abusing app re\u2011registration, an attacker could redirect app traffic to an attacker\u2011controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:56:23.171Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31889", "state": "PUBLISHED", "dateUpdated": "2026-03-12T20:04:11.623Z", "dateReserved": "2026-03-09T21:59:02.687Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T18:56:23.171Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5486B22-79CE-4581-BD61-4CF0E3BFB843", "versionEndExcluding": "6.6.10.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A198E1E6-E6EE-4D98-BF25-E2A5055E8DC8", "versionEndExcluding": "6.7.8.1", "versionStartIncluding": "6.7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC\u2011based authentication without sufficiently binding a shop installation to its original domain. During re\u2011registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app\u2011side secret. By abusing app re\u2011registration, an attacker could redirect app traffic to an attacker\u2011controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1."}, {"lang": "es", "value": "Shopware es una plataforma de comercio abierta. Antes de las versiones 6.6.10.15 y 6.7.8.1, una vulnerabilidad en el flujo de registro de aplicaciones de Shopware que podr\u00eda, bajo condiciones espec\u00edficas, permitir a los atacantes tomar el control del canal de comunicaci\u00f3n entre una tienda y una aplicaci\u00f3n. El flujo de registro de aplicaciones heredado utilizaba autenticaci\u00f3n basada en HMAC sin vincular suficientemente una instalaci\u00f3n de tienda a su dominio original. Durante el nuevo registro, la URL de la tienda podr\u00eda actualizarse sin probar el control sobre la tienda o dominio previamente registrado. Esto hizo factible el secuestro dirigido de la comunicaci\u00f3n de la aplicaci\u00f3n si un atacante pose\u00eda el secreto relevante del lado de la aplicaci\u00f3n. Al abusar del nuevo registro de la aplicaci\u00f3n, un atacante podr\u00eda redirigir el tr\u00e1fico de la aplicaci\u00f3n a un dominio controlado por el atacante y potencialmente obtener credenciales de API destinadas a la tienda leg\u00edtima. Esta vulnerabilidad est\u00e1 corregida en las versiones 6.6.10.15 y 6.7.8.1."}], "id": "CVE-2026-31889", "lastModified": "2026-03-16T20:18:18.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T20:16:15.287", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.7.0.0,6.7.8.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.6.10.15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "platform", "source": "cna", "vendor": "shopware"}, "product": "platform", "vendor": "shopware"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.7.0.0,6.7.8.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.6.10.15)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "matching", "scores": [{"score": 80.0, "source": "matching"}]}, "original": {"product": "core", "source": "cna", "vendor": "shopware"}, "product": "shopware", "vendor": "shopware"}], "analysis": {"en": {"generated_at": "2026-03-16T23:11:32.830911+00:00", "value": {"mitigation_remediation": ["Update Shopware to version 6.6.10.15 or newer, or 6.7.8.1 or newer."], "summary": {"action": "Apply Patch", "impact": "API Credential Theft"}, "threat_synthesis": {"affected_systems": "Affected products are Shopware core and Shopware platform. Versions prior to 6.6.10.15 and 6.7.8.1 are vulnerable.", "description_and_impact": "The vulnerability resides in the Shopware app registration flow. The legacy flow uses HMAC\u2011based authentication but fails to tie a shop installation to its original domain. When an app is re\u2011registered, the shop\u2011URL can be changed without proving control over the previous domain. This allows an attacker who knows the app\u2011side secret to hijack the communication channel, redirect traffic to a domain controlled by the attacker, and potentially capture API credentials intended for the legitimate shop. The weakness corresponds to CWE\u2011290 (Authorization Bypass Through Privileged Credentials). The primary impact is the theft of API credentials, which can lead to further compromise or unauthorized control over the shop.", "risk_and_exploitability": "The CVSS score is 8.9 (High). EPSS score is less than 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires the attacker to possess the app\u2019s secret and to trigger the re\u2011registration process, which limits the attack surface. Nevertheless, the high severity and potential for credential theft justify immediate patching."}}}}, "created": "2026-03-12T09:56:52.472833+00:00", "updated": "2026-03-20T15:29:27.395155+00:00", "vendors": ["shopware", "shopware$PRODUCT$platform", "shopware$PRODUCT$shopware"]}