Authorization Bypass in Shopware Open Commerce Platform
CVE-2026-48014
6.5MEDIUM
What is CVE-2026-48014?
The Shopware Open Commerce Platform has a security vulnerability in its order state transition features. Specifically, prior to versions 6.6.10.18 and 6.7.10.1, the API endpoint responsible for controlling order state transitions lacked the necessary access control checks. This omission allows users with low privileges to perform unauthorized actions, such as manipulating order states, without proper authorization. It is crucial for users to upgrade to the latest versions to mitigate this risk and ensure secure transaction management.
Affected Version(s)
platform < 6.6.10.18 < 6.6.10.18
platform >= 6.7.0.0, < 6.7.10.1 < 6.7.0.0, 6.7.10.1
shopware < 6.6.10.18 < 6.6.10.18
