Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames
CVE-2026-48011

3.7LOW

Key Information:

Vendor: Shopware
Status: Shopware
Vendor: CVE Published:; 10 June 2026

What is CVE-2026-48011?

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.

Affected Version(s)

shopware >= 6.7.0.0, < 6.7.10.1 < 6.7.0.0, 6.7.10.1

shopware < 6.6.10.18 < 6.6.10.18

References

https://github.com/shopware/shopware/security/advisories/...

x_refsource_CONFIRM

https://github.com/shopware/shopware/releases/tag/v6.6.10.18

x_refsource_MISC

https://github.com/shopware/shopware/releases/tag/v6.7.10.1

x_refsource_MISC

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48011 Data

JSON