User Data Control Flaw in Shopware Open Commerce Platform
CVE-2026-48010

6.5MEDIUM

Key Information:

Vendor

Shopware

Vendor
CVE Published:
17 July 2026

What is CVE-2026-48010?

A vulnerability in the Shopware Open Commerce Platform's UserController allows non-admin users to manipulate user permissions. Specifically, prior to the fixes in versions 6.6.10.18 and 6.7.10.1, the UserController::upsertUser() method did not properly validate the 'admin' field, enabling non-admin API users with the 'user:create' or 'user:update' permissions to set the 'admin' attribute to true for any user. This oversight poses a significant risk to user account integrity and platform security.

Affected Version(s)

platform < 6.6.10.18 < 6.6.10.18

platform >= 6.7.0.0, < 6.7.10.1 < 6.7.0.0, 6.7.10.1

shopware < 6.6.10.18 < 6.6.10.18

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.