CVE-2026-48010
Deferred
Deferred - Pending Action
Privilege Escalation in Shopware via Admin Field Manipulation
Vulnerability report for CVE-2026-48010, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-17
Last updated on: 2026-07-17
Assigner: GitHub, Inc.
Description
Description
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser() in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEM_SCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission can set admin: true on new or existing users; IntegrationController::upsertIntegration() contains an isAdmin() check for the same field, but UserController was missing this check. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shopware | shopware | to 6.6.10.18 (exc) |
| shopware | shopware | to 6.7.10.1 (exc) |
| shopware | shopware | to 6.6.10.19 (exc) |
| shopware | shopware | to 6.7.10.2 (exc) |
| shopware | shopware | From 6.7.0.0 (inc) to 6.7.10.0 (inc) |
| shopware | shopware | to 6.6.10.17 (inc) |
| shopware | shopware | to 6.7.10.0 (inc) |
| shopware | shopware | to 6.6.10.18 (inc) |
| shopware | shopware | to 6.7.10.1 (inc) |
| shopware | shopware | From 6.7.0.0 (exc) to 6.7.10.0 (exc) |
| shopware | shopware | to 6.6.10.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |