CVE-2026-32142
Information Disclosure via /api/_info/config in Shopware
Publication date: 2026-03-12
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shopware | shopware | From 7.0.0 (inc) to 7.8.1 (exc) |
| shopware | shopware | to 6.10.15 (exc) |
| shopware | shopware | 7.8.1 |
| shopware | shopware | 6.10.15 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32142 is a moderate severity vulnerability in the Shopware commerce platform affecting versions from 7.0.0 up to but not including 7.8.1, and versions below 6.10.15.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the API route /api/_info/config exposes sensitive information about activated licenses and features without requiring any privileges or user interaction.'}, {'type': 'paragraph', 'content': "This means unauthorized actors can access information about the system's state, leading to an information disclosure issue."}] [1]
How can this vulnerability impact me? :
The impact of this vulnerability is limited to confidentiality loss due to exposure of sensitive information.
It does not affect the integrity or availability of the system.
Attackers can gain unauthorized access to information about activated licenses and features, which could potentially aid in further attacks or reconnaissance.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Shopware instance exposes the /api/_info/config API route without authentication, which reveals sensitive license information.
You can use network scanning or HTTP request commands to test this exposure.
- Use curl to send a request to the vulnerable endpoint: curl -v http://<shopware-host>/api/_info/config
- Use tools like wget or HTTPie to check the response from the /api/_info/config route.
- Scan your network for Shopware instances and verify if this endpoint is accessible without authentication.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Shopware to a fixed version.
- Upgrade Shopware to version 7.8.1 or later if you are running a version >= 7.0.0 and < 7.8.1.
- Upgrade Shopware to version 6.10.15 or later if you are running a version below 6.10.15.
Until the upgrade can be performed, restrict access to the /api/_info/config endpoint to trusted users or internal networks to prevent unauthorized information disclosure.