CVE-2026-48014
Deferred Deferred - Pending Action

Unauthorized State Transition in Shopware

Vulnerability report for CVE-2026-48014, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/_action/order/{orderId}/state/{transition} and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare PlatformRequest::ATTRIBUTE_ACL or perform an explicit privilege check, so AclAnnotationValidator exits when route ACL metadata is absent and low-privileged users without order:update, order_transaction:update, or order_delivery:update can trigger StateMachineRegistry::transition() writes in SYSTEM_SCOPE. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
shopware shopware to 6.7.10.1 (exc)
shopware shopware 6.6.10.18
shopware shopware From 6.7.0.0 (inc) to 6.7.10.1 (exc)
shopware shopware 6.7.10.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-48014 is a vulnerability in Shopware's Admin API that allows unauthorized users to bypass access controls and change order states. The issue occurs because certain API endpoints handling order state transitions lack proper ACL checks. Low-privileged authenticated users can exploit this to manipulate order lifecycles without required permissions.

Detection Guidance

Check Shopware versions for affected releases (6.7.0.0 to 6.7.10.1 or 6.6.10.18). Monitor API logs for unauthorized POST requests to /api/_action/order/{orderId}/state/{transition} or similar endpoints. Use tools like curl to test if low-privileged users can trigger state transitions without proper permissions.

Impact Analysis

This vulnerability can lead to operational disruptions, workflow misuse, and financial losses. Unauthorized users may alter order states, transactions, or deliveries, causing fulfillment errors, settlement issues, or support complications. The integrity of order processing is compromised without direct confidentiality or availability loss.

Compliance Impact

This vulnerability allows low-privileged users to manipulate order states without proper authorization, which could lead to unauthorized changes in transaction records. For GDPR, this may violate integrity requirements for personal data processing. For HIPAA, it could compromise audit trails and transaction integrity in healthcare-related orders.

Mitigation Strategies

Upgrade Shopware to patched versions (6.6.10.18 or 6.7.10.1) immediately. Review and restrict API access for low-privileged users. Implement network-level controls to block unauthorized API calls to transition endpoints. Verify ACL configurations for order, transaction, and delivery state transitions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48014. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart