CVE-2026-25878
Unauthorized Access in FroshAdminer Plugin via Unprotected Adminer Route
Publication date: 2026-02-09
Last updated on: 2026-02-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| friendsofshopware | froshadminer | to 2.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in FroshAdminer, an Adminer plugin for the Shopware Platform. Before version 2.2.1, the Adminer route (/admin/adminer) was accessible without requiring Shopware admin authentication. This route was configured with auth_required=false and did not perform any session validation, which means that unauthenticated users could access the Adminer user interface.
How can this vulnerability impact me? :
Because the Adminer interface was accessible without authentication, unauthorized users could potentially access administrative database management functions. This could lead to unauthorized data access, modification, or other malicious actions within the Shopware platform.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Adminer route (/admin/adminer) being accessible without authentication. To detect it, you can check if the /admin/adminer endpoint is accessible without requiring Shopware admin authentication.
One way to test this is by sending an HTTP request to the /admin/adminer path on your Shopware platform and observing if it returns the Adminer UI without authentication.
For example, you can use the following command to test accessibility:
- curl -i http://your-shopware-domain/admin/adminer
If the response returns the Adminer interface or any indication of the Adminer UI without requiring login, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in FroshAdminer version 2.2.1. The immediate step is to upgrade FroshAdminer to version 2.2.1 or later.
Until the upgrade can be applied, you should restrict access to the /admin/adminer route by implementing authentication or network-level access controls to prevent unauthenticated users from accessing this endpoint.