CVE-2026-48009
Deferred Deferred - Pending Action

Admin Account Takeover via Password Recovery in Shopware

Vulnerability report for CVE-2026-48009, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with user_recovery:read ACL can take over any admin account by triggering POST /api/_action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PATCH /api/_action/user/user-recovery/password; the root cause is that src/Core/System/User/Recovery/UserRecoveryDefinition.php exposes the hash field through the Admin API without ApiAware(false) or ReadProtection. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
shopware shopware to 6.7.10.1 (exc)
shopware shopware to 6.7.10.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is an admin account takeover vulnerability in Shopware. A low-privilege admin user with user_recovery:read ACL can exploit password recovery endpoints to take over any admin account. The attacker triggers password recovery for a victim, reads the recovery hash via the Admin API search endpoint, and uses it to reset the victim's password. The root cause is the hash field in the user recovery entity being exposed through the Admin API without proper protection.

Detection Guidance

To detect this vulnerability, check if your Shopware version is below 6.6.10.18 or 6.7.10.1. Monitor API logs for suspicious POST requests to /api/_action/user/user-recovery, POST /api/search/user-recovery, and PATCH /api/_action/user/user-recovery/password. Look for unauthorized access attempts or unusual password reset activities.

Impact Analysis

An attacker could gain full admin access to your Shopware instance, allowing them to perform any administrative actions. This includes accessing sensitive data, modifying configurations, installing malicious plugins, or causing cascading security breaches. The impact is severe as it compromises the entire admin panel and all its capabilities.

Compliance Impact

This vulnerability could lead to unauthorized access to personal and sensitive data, violating GDPR's data protection requirements and HIPAA's security rules. It may result in data breaches, unauthorized disclosures, and failure to maintain proper access controls, potentially leading to regulatory penalties and legal consequences.

Mitigation Strategies

Upgrade Shopware to versions 6.6.10.18 or later, or 6.7.10.1 or later to fix the vulnerability. Ensure the hash field in UserRecoveryDefinition.php is configured with ApiAware(false) to prevent exposure through the Admin API.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48009. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart