CVE-2026-48008
Deferred Deferred - Pending Action

Privilege Escalation in Shopware via Sync API

Vulnerability report for CVE-2026-48008, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/_action/sync; the regular integration endpoint POST /api/integration blocks this, but SyncController::sync() routes writes through SyncService to EntityWriter::upsert(), and src/Core/Framework/Integration/IntegrationDefinition.php lacks WriteProtection on the admin field. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
shopware shopware to 6.6.10.18|end_excluding=6.7.10.1 (exc)
shopware shopware to 6.6.10.18 (inc)
shopware shopware to 6.7.10.1 (inc)
shopware shopware From 6.6.10.17 (inc) to 6.7.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Shopware allows a non-admin API user with limited privileges to escalate their access to full administrator rights. The issue occurs through the Sync API endpoint, which bypasses normal security checks. By creating an integration with the admin flag set to true, an attacker can gain complete administrative control over the system.

Detection Guidance

Check Shopware versions for affected releases (6.6.10.17 or lower, 6.7.0.0 to 6.7.10.0). Review API logs for POST requests to /api/_action/sync with admin: true flag. Inspect IntegrationDefinition.php for missing WriteProtected flag on admin field.

Impact Analysis

An attacker exploiting this vulnerability could gain full administrative access to your Shopware instance. This would allow them to steal sensitive data, modify system configurations, install malicious extensions, create persistent backdoors, or disrupt operations. The impact includes potential data breaches and complete system compromise.

Compliance Impact

This vulnerability could lead to violations of GDPR and HIPAA by enabling unauthorized access to personal and protected health information. A successful exploit could result in data breaches that require regulatory reporting, potential fines for non-compliance, and damage to customer trust and organizational reputation.

Mitigation Strategies

Upgrade Shopware to versions 6.6.10.18 or 6.7.10.1 or later. Apply the WriteProtected flag to the admin field in IntegrationDefinition.php. Restrict API access to trusted users and monitor for unauthorized integration creation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48008. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart