Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-31888 is a user enumeration vulnerability in Shopware's Store API login endpoint (POST /store-api/account/login) affecting versions before 6.7.8.1 and 6.6.10.15. The vulnerability occurs because the API returns different error codes depending on whether the submitted email address belongs to a registered customer or not."}, {'type': 'list_item', 'content': 'If the email is unknown, the API returns an error code CHECKOUT__CUSTOMER_NOT_FOUND and echoes the probed email address.'}, {'type': 'list_item', 'content': 'If the email is registered but the password is incorrect, it returns CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS.'}, {'type': 'paragraph', 'content': 'This difference in responses allows an unauthenticated attacker to determine which email addresses are registered customers by analyzing the error codes and responses, effectively enumerating valid user accounts.'}, {'type': 'paragraph', 'content': 'The storefront login controller correctly unifies these error responses to prevent enumeration, but the Store API login route does not, causing this inconsistent defense.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to enumerate valid customer email addresses without authentication.

• Attackers can use this information to conduct targeted phishing and social engineering attacks against known customers.
• It can optimize credential stuffing attacks by filtering out invalid emails, increasing the success rate of such attacks.
• It causes privacy violations by confirming user association with the store.
• The reflected email address in error responses could be exploited in reflected content attacks.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending POST requests to the Store API login endpoint (/store-api/account/login) with different email addresses and analyzing the error responses.'}, {'type': 'paragraph', 'content': 'If the response error code differs depending on whether the email is registered or not, specifically returning CHECKOUT__CUSTOMER_NOT_FOUND for unknown emails and CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS for registered emails with wrong passwords, then the system is vulnerable.'}, {'type': 'paragraph', 'content': 'A simple detection command using curl could be:'}, {'type': 'list_item', 'content': 'curl -X POST https://your-shopware-domain.com/store-api/account/login -H \'Content-Type: application/json\' -d \'{"email":"[email protected]","password":"wrongpassword"}\' -i'}, {'type': 'paragraph', 'content': 'By substituting different email addresses (known and unknown), you can observe if the error codes or messages differ, indicating the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include modifying the Store API login endpoint to unify error responses for both unknown and incorrect credentials.

• Catch both CustomerNotFoundException and BadCredentialsException in the Store API LoginRoute::login() method and return a single generic error code CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS.
• Alternatively, modify AccountService::getCustomerByLogin() to catch CustomerNotFoundException internally and throw BadCredentialsException instead, ensuring all error responses are unified.

Additionally, review and update the registration endpoint to avoid leaking email existence information by returning generic success responses and notifying existing users via email.

Applying the official patches by upgrading Shopware to versions 6.7.8.1 or 6.6.10.15 or later is the recommended permanent fix.

Useful 0 Not Useful 0