CVE-2026-48010
Deferred Deferred - Pending Action

Privilege Escalation in Shopware via Admin Field Manipulation

Vulnerability report for CVE-2026-48010, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser() in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEM_SCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission can set admin: true on new or existing users; IntegrationController::upsertIntegration() contains an isAdmin() check for the same field, but UserController was missing this check. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
shopware shopware to 6.6.10.18 (exc)
shopware shopware to 6.7.10.1 (exc)
shopware shopware to 6.6.10.19 (exc)
shopware shopware to 6.7.10.2 (exc)
shopware shopware From 6.7.0.0 (inc) to 6.7.10.0 (inc)
shopware shopware to 6.6.10.17 (inc)
shopware shopware to 6.7.10.0 (inc)
shopware shopware to 6.6.10.18 (inc)
shopware shopware to 6.7.10.1 (inc)
shopware shopware From 6.7.0.0 (exc) to 6.7.10.0 (exc)
shopware shopware to 6.6.10.17 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-48010 is a privilege escalation vulnerability in Shopware where a non-admin API user with user:create or user:update permissions can set the admin flag to true on new or existing users. This occurs because UserController::upsertUser() does not properly filter the admin field in SYSTEM_SCOPE, allowing unauthorized privilege escalation.

Detection Guidance

Check Shopware logs for unauthorized user modifications or admin privilege changes. Review API calls to UserController::upsertUser() for requests setting admin: true without proper permissions. Use commands like grep to search logs for 'admin: true' or 'user:update' actions in SYSTEM_SCOPE.

Impact Analysis

An attacker with limited API permissions could escalate their privileges to admin level, gaining full control over the Shopware system. This could lead to unauthorized access to sensitive data, system manipulation, or further attacks within the environment.

Compliance Impact

This vulnerability could lead to unauthorized access to personal or sensitive data, violating GDPR's data protection principles and HIPAA's security requirements. Non-compliance may result in legal penalties, data breach notifications, and reputational damage.

Mitigation Strategies

Upgrade Shopware to versions 6.6.10.18 or 6.7.10.1 or later. Review and restrict user:create and user:update ACL permissions. Audit existing user accounts for unauthorized admin privileges. Monitor for suspicious API activity targeting UserController.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48010. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart