CVE-2026-25878
Awaiting Analysis Awaiting Analysis - Queue
Unauthorized Access in FroshAdminer Plugin via Unprotected Adminer Route

Publication date: 2026-02-09

Last updated on: 2026-02-28

Assigner: GitHub, Inc.

Description
FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-02-28
Generated
2026-06-16
AI Q&A
2026-02-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25878
EUVD
EUVD-2026-6855
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
friendsofshopware froshadminer to 2.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in FroshAdminer, an Adminer plugin for the Shopware Platform. Before version 2.2.1, the Adminer route (/admin/adminer) was accessible without requiring Shopware admin authentication. This route was configured with auth_required=false and did not perform any session validation, which means that unauthenticated users could access the Adminer user interface.

Impact Analysis

Because the Adminer interface was accessible without authentication, unauthorized users could potentially access administrative database management functions. This could lead to unauthorized data access, modification, or other malicious actions within the Shopware platform.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the Adminer route (/admin/adminer) being accessible without authentication. To detect it, you can check if the /admin/adminer endpoint is accessible without requiring Shopware admin authentication.

One way to test this is by sending an HTTP request to the /admin/adminer path on your Shopware platform and observing if it returns the Adminer UI without authentication.

For example, you can use the following command to test accessibility:

  • curl -i http://your-shopware-domain/admin/adminer

If the response returns the Adminer interface or any indication of the Adminer UI without requiring login, the vulnerability is present.

Mitigation Strategies

The vulnerability is fixed in FroshAdminer version 2.2.1. The immediate step is to upgrade FroshAdminer to version 2.2.1 or later.

Until the upgrade can be applied, you should restrict access to the /admin/adminer route by implementing authentication or network-level access controls to prevent unauthenticated users from accessing this endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25878. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart