CVE-2026-31889

HIGH EPSS 18.3%

Published Mar 11, 20263mo ago · Modified Jun 17, 20261w ago

8.9 CVSS 3.1

High

Published Mar 11, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.

CVSS Details

Base Score

8.9

Exploitability

2.2

Impact

6.0

Vector string

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

Attack Vector Network

Attack Complexity High

Privileges Required None

User Interaction None

Scope Changed

Confidentiality High

Integrity High

Availability Low

Threat Intelligence

EPSS Exploit Probability

18.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-290

Affected Products 2

Vendor	Product	Version	Range
shopware	shopware	*	<6.6.10.15
shopware	shopware	*	≥6.7.0.0 – <6.7.8.1

References 1

github.com https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.