{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32142", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:19:36.547Z", "datePublished": "2026-03-12T18:17:35.939Z", "dateUpdated": "2026-03-13T16:18:35.366Z"}, "containers": {"cna": {"title": "shopware/commercial: `/api/_info/config` route exposes information about licenses", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/shopware/shopware/security/advisories/GHSA-gvmv-9f74-mhwp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-gvmv-9f74-mhwp"}], "affected": [{"vendor": "shopware", "product": "commercial", "versions": [{"version": ">= 7.0.0, < 7.8.1", "status": "affected"}, {"version": "< 6.10.15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T18:17:35.939Z"}, "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15."}], "source": {"advisory": "GHSA-gvmv-9f74-mhwp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:18:23.948323Z", "id": "CVE-2026-32142", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:18:35.366Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32142", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T16:18:23.948323Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:18:29.864Z"}}], "cna": {"title": "shopware/commercial: `/api/_info/config` route exposes information about licenses", "source": {"advisory": "GHSA-gvmv-9f74-mhwp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "shopware", "product": "commercial", "versions": [{"status": "affected", "version": ">= 7.0.0, < 7.8.1"}, {"status": "affected", "version": "< 6.10.15"}]}], "references": [{"url": "https://github.com/shopware/shopware/security/advisories/GHSA-gvmv-9f74-mhwp", "name": "https://github.com/shopware/shopware/security/advisories/GHSA-gvmv-9f74-mhwp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T18:17:35.939Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32142", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:18:35.366Z", "dateReserved": "2026-03-10T22:19:36.547Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T18:17:35.939Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15."}, {"lang": "es", "value": "Shopware es una plataforma de comercio abierta. La ruta /api/_info/config expone informaci\u00f3n sobre licencias. Esta vulnerabilidad est\u00e1 corregida en 7.8.1 y 6.10.15."}], "id": "CVE-2026-32142", "lastModified": "2026-04-16T14:47:16.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-12T19:16:16.640", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/shopware/shopware/security/advisories/GHSA-gvmv-9f74-mhwp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.8.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.10.15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "commercial", "source": "cna", "vendor": "shopware"}, "product": "commercial", "vendor": "shopware"}], "analysis": {"en": {"generated_at": "2026-03-18T14:54:25.148975+00:00", "value": {"mitigation_remediation": ["Update Shopware Commercial to at least version 7.8.1 or 6.10.15, the first releases that remove the exposure."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Shopware Commercial installations running a version earlier than 7.8.1 for branch 7 or earlier than 6.10.15 for branch 6 are affected. The CVE notes that the issue is fixed in 7.8.1 and 6.10.15; any version not matching those releases should be considered vulnerable.", "description_and_impact": "The vulnerability exists in the Shopware Commercial platform where the /api/_info/config endpoint discloses licensing information, allowing an attacker to read sensitive license data. The primary impact is a confidentiality breach of licensing credentials, which could be leveraged to assess the system's licensing status or potentially expose proprietary activation secrets. The weakness is classified as CWE-200, Information Exposure.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score is below 1%, signifying a low likelihood of active exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can exploit the flaw remotely by accessing the publicly reachable /api/_info/config endpoint, likely without authentication, but the exact prerequisites are not detailed in the description. Since the API endpoint returns licensing data regardless of user context, an unauthenticated request can succeed, making the attack straightforward once the target system is identified."}}}}, "created": "2026-03-13T09:50:26.624695+00:00", "updated": "2026-03-20T15:48:34.532583+00:00", "vendors": ["shopware", "shopware$PRODUCT$commercial"]}