CVE-2026-7630
Improper Authentication in InnoShop E-Commerce Platform
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| innocommerce | innoshop | to 0.7.8 (inc) |
| innocommerce | innoshop | to 0.7.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Innoshop allows unauthenticated attackers to perform a complete system takeover by exploiting the installation endpoint. This includes overwriting configuration files, wiping the database, and creating new administrator accounts. Such unauthorized access and data destruction can lead to loss of data integrity, confidentiality, and availability.
From a compliance perspective, this vulnerability could severely impact adherence to standards like GDPR and HIPAA, which require protection of personal data, prevention of unauthorized access, and ensuring data integrity and availability. The ability for an attacker to gain full control and potentially destroy or manipulate sensitive data violates these principles and could result in non-compliance, legal penalties, and reputational damage.
Can you explain this vulnerability to me?
CVE-2026-7630 is a critical pre-authentication vulnerability in the Innoshop eCommerce system, specifically in the installation module. The vulnerability exists because the installation routes remain accessible even after the application is fully installed, without requiring authentication or CSRF protection.
An attacker can exploit this flaw by sending a single unauthenticated POST request to the /install/complete endpoint. This request can overwrite the application's .env configuration file, wipe the database, reseed data, and create a new administrator account, effectively taking over the entire system.
The root cause is that the installation routes are registered unconditionally without checking if the application is already installed, and there is no authentication or CSRF protection on these routes. The patch fixes this by adding a guard condition in the InstallServiceProvider::boot() method that prevents access to installation routes if the application is already installed.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete system takeover by an unauthenticated attacker.
- An attacker can overwrite the .env configuration file, potentially breaking the application or changing critical settings.
- The database can be wiped clean, resulting in irreversible data loss.
- A new administrator account can be created by the attacker, granting full control over the application.
- The attacker can gain access to the admin panel and potentially execute remote code by uploading malicious plugins.
- The application can become unusable due to overwritten configuration with invalid credentials, causing denial of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the installation endpoint /install/complete is accessible without authentication on your Innoshop installation. An unauthenticated POST request to this endpoint can trigger the exploit.
A practical detection method is to attempt sending a POST request to the /install/complete endpoint and observe if it allows execution without authentication or CSRF protection.
For example, you can use the following curl command to test if the endpoint is vulnerable:
- curl -X POST http://your-innoshop-domain/install/complete -d '' -v
If the request succeeds and triggers installation actions (such as overwriting configuration or creating admin accounts), the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch that adds a guard condition in the InstallServiceProvider::boot() method to prevent access to installation routes once the application is installed.
Specifically, the patch introduces a check using the has_install_lock() function which blocks the reinstallation process and protects the /install/complete endpoint from unauthenticated access.
If patching immediately is not possible, restrict access to the /install/complete endpoint by network controls such as firewall rules or web server configuration to block unauthenticated requests.
Additionally, monitor your system for any suspicious POST requests to installation endpoints and review logs for unauthorized activity.