CVE-2026-32100
Received Received - Intake
Information Disclosure via /api/_info/config in Shopware

Publication date: 2026-03-12

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32100
EUVD
EUVD-2026-11642
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
shopware shopware 2.0.16
shopware shopware 3.0.12
shopware shopware 4.0.7
shopware swag/platform-security From 2.0.16 (inc) to 4.0.7 (exc)
shopware swag/platform-security From 3.0.0 (inc) to 3.0.12 (exc)
shopware swag/platform-security to 2.0.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32100 is a moderate severity vulnerability affecting the Shopware security plugin in certain versions. It occurs because the /api/_info/config API route exposes information about active security fixes.'}, {'type': 'paragraph', 'content': "This exposure leads to information disclosure, potentially revealing the system's security state to unauthorized actors."}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely without any privileges or user interaction and has a low attack complexity.'}, {'type': 'paragraph', 'content': 'It is classified under CWE-200, which means Exposure of Sensitive Information to an Unauthorized Actor.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing unauthorized actors to gain information about the active security fixes on your Shopware platform.

Such information disclosure can help attackers understand the security posture of your system, potentially aiding them in planning further attacks.

Since the vulnerability requires no privileges or user interaction and can be exploited remotely, it increases the risk of unauthorized information exposure.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the Shopware instance exposes the /api/_info/config API route that reveals information about active security fixes.

You can use network scanning or HTTP request tools to query this endpoint and observe if sensitive information is disclosed.

  • Use curl to send a request to the endpoint: curl -v http://<shopware-host>/api/_info/config
  • Use wget to fetch the endpoint content: wget -qO- http://<shopware-host>/api/_info/config
  • Use a browser or API testing tools like Postman to access the /api/_info/config route and check the response.

If the response contains details about active security fixes, the system is vulnerable if it runs an affected version.

Mitigation Strategies

The immediate mitigation step is to update the Shopware security plugin (swag/platform-security) to a patched version.

  • Upgrade to version 2.0.16 or later if using versions below 2.0.16.
  • Upgrade to version 3.0.12 or later if using versions >= 3.0.0 and < 3.0.12.
  • Upgrade to version 4.0.7 or later if using versions >= 4.0.0 and < 4.0.7.

Applying these updates will prevent unauthorized disclosure of security fix information via the /api/_info/config route.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32100. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart