Authentication Flaw in Shopware Open Commerce Platform
CVE-2026-31889

8.9HIGH

Key Information:

Vendor: Shopware
Status: Core; Platform
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-31889?

The Shopware Open Commerce Platform contains a vulnerability in its app registration flow that can enable attackers to hijack the communication channel between a shop and its app. This issue arises from the use of HMAC-based authentication that does not adequately bind a shop installation to its original domain. Specifically, during re-registration, an attacker may update the shop URL without needing to prove control over the original shop or domain. By exploiting this flaw, an attacker with knowledge of the app-side secret can redirect app traffic to a malicious domain, potentially obtaining API credentials intended for the legitimate shop. This vulnerability has been addressed in versions 6.6.10.15 and 6.7.8.1.

Affected Version(s)

core >= 6.7.0.0, < 6.7.8.1 < 6.7.0.0, 6.7.8.1

core < 6.6.10.15 < 6.6.10.15

platform >= 6.7.0.0, < 6.7.8.1 < 6.7.0.0, 6.7.8.1

References

https://github.com/shopware/shopware/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31889 Data

JSON