CVE-2026-32100
Information Disclosure via /api/_info/config in Shopware
Publication date: 2026-03-12
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shopware | shopware | 2.0.16 |
| shopware | shopware | 3.0.12 |
| shopware | shopware | 4.0.7 |
| shopware | swag/platform-security | From 2.0.16 (inc) to 4.0.7 (exc) |
| shopware | swag/platform-security | From 3.0.0 (inc) to 3.0.12 (exc) |
| shopware | swag/platform-security | to 2.0.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32100 is a moderate severity vulnerability affecting the Shopware security plugin in certain versions. It occurs because the /api/_info/config API route exposes information about active security fixes.'}, {'type': 'paragraph', 'content': "This exposure leads to information disclosure, potentially revealing the system's security state to unauthorized actors."}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely without any privileges or user interaction and has a low attack complexity.'}, {'type': 'paragraph', 'content': 'It is classified under CWE-200, which means Exposure of Sensitive Information to an Unauthorized Actor.'}] [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized actors to gain information about the active security fixes on your Shopware platform.
Such information disclosure can help attackers understand the security posture of your system, potentially aiding them in planning further attacks.
Since the vulnerability requires no privileges or user interaction and can be exploited remotely, it increases the risk of unauthorized information exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Shopware instance exposes the /api/_info/config API route that reveals information about active security fixes.
You can use network scanning or HTTP request tools to query this endpoint and observe if sensitive information is disclosed.
- Use curl to send a request to the endpoint: curl -v http://<shopware-host>/api/_info/config
- Use wget to fetch the endpoint content: wget -qO- http://<shopware-host>/api/_info/config
- Use a browser or API testing tools like Postman to access the /api/_info/config route and check the response.
If the response contains details about active security fixes, the system is vulnerable if it runs an affected version.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Shopware security plugin (swag/platform-security) to a patched version.
- Upgrade to version 2.0.16 or later if using versions below 2.0.16.
- Upgrade to version 3.0.12 or later if using versions >= 3.0.0 and < 3.0.12.
- Upgrade to version 4.0.7 or later if using versions >= 4.0.0 and < 4.0.7.
Applying these updates will prevent unauthorized disclosure of security fix information via the /api/_info/config route.