Authorization Bypass in Shopware Open Commerce Platform
CVE-2026-48014

6.5MEDIUM

Key Information:

Vendor

Shopware

Vendor
CVE Published:
17 July 2026

What is CVE-2026-48014?

The Shopware Open Commerce Platform has a security vulnerability in its order state transition features. Specifically, prior to versions 6.6.10.18 and 6.7.10.1, the API endpoint responsible for controlling order state transitions lacked the necessary access control checks. This omission allows users with low privileges to perform unauthorized actions, such as manipulating order states, without proper authorization. It is crucial for users to upgrade to the latest versions to mitigate this risk and ensure secure transaction management.

Affected Version(s)

platform < 6.6.10.18 < 6.6.10.18

platform >= 6.7.0.0, < 6.7.10.1 < 6.7.0.0, 6.7.10.1

shopware < 6.6.10.18 < 6.6.10.18

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.