User Data Control Flaw in Shopware Open Commerce Platform
CVE-2026-48010
6.5MEDIUM
What is CVE-2026-48010?
A vulnerability in the Shopware Open Commerce Platform's UserController allows non-admin users to manipulate user permissions. Specifically, prior to the fixes in versions 6.6.10.18 and 6.7.10.1, the UserController::upsertUser() method did not properly validate the 'admin' field, enabling non-admin API users with the 'user:create' or 'user:update' permissions to set the 'admin' attribute to true for any user. This oversight poses a significant risk to user account integrity and platform security.
Affected Version(s)
platform < 6.6.10.18 < 6.6.10.18
platform >= 6.7.0.0, < 6.7.10.1 < 6.7.0.0, 6.7.10.1
shopware < 6.6.10.18 < 6.6.10.18
