CVE-2026-48011
Deferred Deferred - Pending Action

Timing Attack User Enumeration in Shopware

Vulnerability report for CVE-2026-48011, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
shopware shopware to 6.7.10.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-48011 allows an attacker to enumerate administrator usernames via a timing attack in Shopware's admin panel. This information disclosure could increase the risk of targeted attacks such as credential stuffing or spear phishing.

While the vulnerability itself does not directly disclose sensitive personal data, the ability to identify administrator usernames could indirectly impact compliance with standards like GDPR or HIPAA by facilitating unauthorized access attempts or privilege escalation.

Organizations using affected versions of Shopware should consider this vulnerability as a potential risk to the confidentiality and integrity of administrative accounts, which are critical for maintaining compliance with data protection regulations.

Executive Summary

This vulnerability affects the Shopware open commerce platform versions prior to 6.6.10.18 and 6.7.10.1. An attacker can perform a timing attack to enumerate the usernames of administrator users. This means the attacker can discover valid administrator usernames by measuring the time it takes for the system to respond to certain requests.

Impact Analysis

The vulnerability allows an attacker to identify administrator usernames through timing attacks. Knowing valid administrator usernames can be a first step for further attacks, such as brute force password attempts or social engineering, potentially leading to unauthorized access to the system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Shopware to version 6.6.10.18 or 6.7.10.1 or later, as these versions contain the fix for the administrator username enumeration timing attack.

Detection Guidance

CVE-2026-48011 is a timing attack vulnerability in Shopware's admin panel that allows attackers to enumerate administrator usernames by measuring response times to authentication requests.

Detection involves monitoring or testing the timing differences in responses from the `/api/oauth/token` endpoint during login attempts with different usernames.

A practical approach to detect this vulnerability is to perform scripted authentication requests with various usernames and measure the response times to identify discrepancies indicating valid usernames.

While no specific commands are provided in the resources, a common method is to use tools like curl or custom scripts to send POST requests to `/api/oauth/token` with different usernames and analyze the response time differences.

  • Example curl command to test a username (replace <username> and <password>):
  • curl -X POST https://your-shopware-domain/api/oauth/token -d '{"username":"<username>","password":"<password>"}' -H 'Content-Type: application/json' -w '%{time_total}\n' -o /dev/null -s

By running this command repeatedly with different usernames and comparing the total time taken (`time_total`), an attacker or tester can infer which usernames exist based on longer response times due to the password verification step.

To detect this vulnerability on your system, you can automate such timing tests and analyze the results for statistically significant timing differences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48011. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart