CVE-2026-31887
Unauthorized Access via Insufficient Filter Validation in Shopware Orders
Publication date: 2026-03-11
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shopware | shopware | to 6.6.10.15 (exc) |
| shopware | shopware | From 6.7.0.0 (inc) to 6.7.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31887 is a high-severity vulnerability in Shopware versions prior to 6.7.8.1 and 6.6.10.15. It exists in the store-api.order endpoint, specifically in the deepLinkCode feature, where there is insufficient validation of filter types for unauthenticated customers.
This flaw allows attackers to access orders belonging to other customers without needing any privileges or user interaction. The vulnerability can be exploited remotely over the network with low attack complexity.
Attackers can extract sensitive customer information such as names, billing and shipping addresses, email addresses, ordered products, order values, order numbers, order dates, payment and shipping method details, and potentially other custom data.
How can this vulnerability impact me? :
This vulnerability impacts the confidentiality of customer data by allowing unauthorized access to sensitive order information of other customers.
Attackers can remotely and easily enumerate and scrape recent customer orders, which poses a significant privacy risk.
The impact is limited to confidentiality; there is no effect on data integrity or system availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability affects the store-api.order endpoint in Shopware versions prior to 6.7.8.1 and 6.6.10.15, specifically through the deepLinkCode support where insufficient validation allows unauthorized access to other customers' order data."}, {'type': 'paragraph', 'content': 'Detection can involve monitoring network traffic for suspicious requests to the store-api.order endpoint that include deepLinkCode parameters from unauthenticated users.'}, {'type': 'paragraph', 'content': 'While no specific detection commands are provided, you can use tools like curl or HTTP request monitoring to test if the endpoint returns order data without authentication.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability (replace <URL> and <deepLinkCode>):'}, {'type': 'list_item', 'content': 'curl -X GET "<URL>/store-api/order?deepLinkCode=<deepLinkCode>" -v'}, {'type': 'paragraph', 'content': 'If the response contains order details without authentication, the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Shopware to a patched version where this vulnerability is fixed.
- Upgrade to Shopware version 6.7.8.1 or later if running a 6.7.x version.
- Upgrade to Shopware version 6.6.10.15 or later if running a 6.6.x version.
Until the upgrade can be applied, consider restricting access to the store-api.order endpoint to authenticated users only or implementing additional access controls to prevent unauthenticated access.
Monitor logs for suspicious access patterns to the store-api.order endpoint and consider rate limiting to reduce the risk of mass enumeration.