CVE-2026-31889

Published: Mar 11, 2026

Modified: Mar 12, 2026

PUBLISHED

CVSS v3.1

8.9

HIGH

Description

Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.

Vendor	Product	Versions
shopware	core	affected `>= 6.7.0.0, < 6.7.8.1` affected `< 6.6.10.15`
shopware	platform	affected `>= 6.7.0.0, < 6.7.8.1` affected `< 6.6.10.15`

Weaknesses (CWE)

CWE-290

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

References

https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-31889

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References