Insufficient Filter Checks in Shopware's Open Commerce Platform
CVE-2026-31887

8.9HIGH

Key Information:

Vendor: Shopware
Status: Core; Platform
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-31887?

The Shopware Open Commerce Platform, before versions 6.7.8.1 and 6.6.10.15, suffers from an insufficient check on filter types that allows unauthenticated customers to gain unauthorized access to the orders of other customers. This vulnerability, part of the deepLinkCode support on the store-api.order endpoint, raises serious concerns regarding the security of user data and order information. Users are urged to update to the patched versions to mitigate potential risks associated with this vulnerability.

Affected Version(s)

core >= 6.7.0.0, < 6.7.8.1 < 6.7.0.0, 6.7.8.1

core < 6.6.10.15 < 6.6.10.15

platform >= 6.7.0.0, < 6.7.8.1 < 6.7.0.0, 6.7.8.1

References

https://github.com/shopware/shopware/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31887 Data

JSON