CVE-2026-32142
Received Received - Intake
Information Disclosure via /api/_info/config in Shopware

Publication date: 2026-03-12

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32142
EUVD
EUVD-2026-11663
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
shopware shopware From 7.0.0 (inc) to 7.8.1 (exc)
shopware shopware to 6.10.15 (exc)
shopware shopware 7.8.1
shopware shopware 6.10.15
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32142 is a moderate severity vulnerability in the Shopware commerce platform affecting versions from 7.0.0 up to but not including 7.8.1, and versions below 6.10.15.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the API route /api/_info/config exposes sensitive information about activated licenses and features without requiring any privileges or user interaction.'}, {'type': 'paragraph', 'content': "This means unauthorized actors can access information about the system's state, leading to an information disclosure issue."}] [1]

Detection Guidance

This vulnerability can be detected by checking if the Shopware instance exposes the /api/_info/config API route without authentication, which reveals sensitive license information.

You can use network scanning or HTTP request commands to test this exposure.

  • Use curl to send a request to the vulnerable endpoint: curl -v http://<shopware-host>/api/_info/config
  • Use tools like wget or HTTPie to check the response from the /api/_info/config route.
  • Scan your network for Shopware instances and verify if this endpoint is accessible without authentication.
Mitigation Strategies

The immediate mitigation step is to upgrade Shopware to a fixed version.

  • Upgrade Shopware to version 7.8.1 or later if you are running a version >= 7.0.0 and < 7.8.1.
  • Upgrade Shopware to version 6.10.15 or later if you are running a version below 6.10.15.

Until the upgrade can be performed, restrict access to the /api/_info/config endpoint to trusted users or internal networks to prevent unauthorized information disclosure.

Impact Analysis

The impact of this vulnerability is limited to confidentiality loss due to exposure of sensitive information.

It does not affect the integrity or availability of the system.

Attackers can gain unauthorized access to information about activated licenses and features, which could potentially aid in further attacks or reconnaissance.

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32142. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart