CVE-2026-32100
Received Received - Intake

Information Disclosure via /api/_info/config in Shopware

Vulnerability report for CVE-2026-32100, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-12

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description

Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-12
Last Modified
2026-03-12
Generated
2026-07-06
AI Q&A
2026-03-12
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
shopware shopware 2.0.16
shopware shopware 3.0.12
shopware shopware 4.0.7
shopware swag/platform-security From 2.0.16 (inc) to 4.0.7 (exc)
shopware swag/platform-security From 3.0.0 (inc) to 3.0.12 (exc)
shopware swag/platform-security to 2.0.16 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32100 is a moderate severity vulnerability affecting the Shopware security plugin in certain versions. It occurs because the /api/_info/config API route exposes information about active security fixes.'}, {'type': 'paragraph', 'content': "This exposure leads to information disclosure, potentially revealing the system's security state to unauthorized actors."}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely without any privileges or user interaction and has a low attack complexity.'}, {'type': 'paragraph', 'content': 'It is classified under CWE-200, which means Exposure of Sensitive Information to an Unauthorized Actor.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing unauthorized actors to gain information about the active security fixes on your Shopware platform.

Such information disclosure can help attackers understand the security posture of your system, potentially aiding them in planning further attacks.

Since the vulnerability requires no privileges or user interaction and can be exploited remotely, it increases the risk of unauthorized information exposure.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the Shopware instance exposes the /api/_info/config API route that reveals information about active security fixes.

You can use network scanning or HTTP request tools to query this endpoint and observe if sensitive information is disclosed.

  • Use curl to send a request to the endpoint: curl -v http://<shopware-host>/api/_info/config
  • Use wget to fetch the endpoint content: wget -qO- http://<shopware-host>/api/_info/config
  • Use a browser or API testing tools like Postman to access the /api/_info/config route and check the response.

If the response contains details about active security fixes, the system is vulnerable if it runs an affected version.

Mitigation Strategies

The immediate mitigation step is to update the Shopware security plugin (swag/platform-security) to a patched version.

  • Upgrade to version 2.0.16 or later if using versions below 2.0.16.
  • Upgrade to version 3.0.12 or later if using versions >= 3.0.0 and < 3.0.12.
  • Upgrade to version 4.0.7 or later if using versions >= 4.0.0 and < 4.0.7.

Applying these updates will prevent unauthorized disclosure of security fix information via the /api/_info/config route.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32100. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart