CVE-2026-7630
Deferred Deferred - Pending Action
Improper Authentication in InnoShop E-Commerce Platform

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: VulDB

Description
A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper authentication. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is 45758e4ec22451ab944ae2ae826b1e70f6450dc9. It is recommended to apply a patch to fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7630
EUVD
EUVD-2026-26792
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
innocommerce innoshop to 0.7.8 (inc)
innocommerce innoshop to 0.7.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7630 is a critical pre-authentication vulnerability in the Innoshop eCommerce system, specifically in the installation module. The vulnerability exists because the installation routes remain accessible even after the application is fully installed, without requiring authentication or CSRF protection.

An attacker can exploit this flaw by sending a single unauthenticated POST request to the /install/complete endpoint. This request can overwrite the application's .env configuration file, wipe the database, reseed data, and create a new administrator account, effectively taking over the entire system.

The root cause is that the installation routes are registered unconditionally without checking if the application is already installed, and there is no authentication or CSRF protection on these routes. The patch fixes this by adding a guard condition in the InstallServiceProvider::boot() method that prevents access to installation routes if the application is already installed.

Impact Analysis

This vulnerability can have severe impacts including complete system takeover by an unauthenticated attacker.

  • An attacker can overwrite the .env configuration file, potentially breaking the application or changing critical settings.
  • The database can be wiped clean, resulting in irreversible data loss.
  • A new administrator account can be created by the attacker, granting full control over the application.
  • The attacker can gain access to the admin panel and potentially execute remote code by uploading malicious plugins.
  • The application can become unusable due to overwritten configuration with invalid credentials, causing denial of service.
Detection Guidance

This vulnerability can be detected by checking if the installation endpoint /install/complete is accessible without authentication on your Innoshop installation. An unauthenticated POST request to this endpoint can trigger the exploit.

A practical detection method is to attempt sending a POST request to the /install/complete endpoint and observe if it allows execution without authentication or CSRF protection.

For example, you can use the following curl command to test if the endpoint is vulnerable:

  • curl -X POST http://your-innoshop-domain/install/complete -d '' -v

If the request succeeds and triggers installation actions (such as overwriting configuration or creating admin accounts), the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to apply the patch that adds a guard condition in the InstallServiceProvider::boot() method to prevent access to installation routes once the application is installed.

Specifically, the patch introduces a check using the has_install_lock() function which blocks the reinstallation process and protects the /install/complete endpoint from unauthenticated access.

If patching immediately is not possible, restrict access to the /install/complete endpoint by network controls such as firewall rules or web server configuration to block unauthenticated requests.

Additionally, monitor your system for any suspicious POST requests to installation endpoints and review logs for unauthorized activity.

Compliance Impact

The vulnerability in Innoshop allows unauthenticated attackers to perform a complete system takeover by exploiting the installation endpoint. This includes overwriting configuration files, wiping the database, and creating new administrator accounts. Such unauthorized access and data destruction can lead to loss of data integrity, confidentiality, and availability.

From a compliance perspective, this vulnerability could severely impact adherence to standards like GDPR and HIPAA, which require protection of personal data, prevention of unauthorized access, and ensuring data integrity and availability. The ability for an attacker to gain full control and potentially destroy or manipulate sensitive data violates these principles and could result in non-compliance, legal penalties, and reputational damage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7630. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart