CVE-2026-31889
March 11, 2026
Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.
Affected Packages
shopware/platform (PHP):
Affected version(s) >=v6.0.0+dp1 <v6.6.10.15Fix Suggestion:
Update to version v6.6.10.15shopware/platform (PHP):
Affected version(s) >=v6.7.0.0 <v6.7.8.1Fix Suggestion:
Update to version v6.7.8.1shopware/core (PHP):
Affected version(s) >=v6.7.0.0 <v6.7.8.1Fix Suggestion:
Update to version v6.7.8.1shopware/core (PHP):
Affected version(s) >=v6.0.0+ea1 <v6.6.10.15Fix Suggestion:
Update to version v6.6.10.15Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
LOW
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
LOW
CVSS v3
Base Score:
8.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
LOW
Weakness Type (CWE)
Authentication Bypass by Spoofing
EPSS
Base Score:
0.08
