VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 9, 2026· Updated Feb 10, 2026

FroshAdminer Adminer UI is accessible without admin session

CVE-2026-25878

Description

FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FroshAdminer plugin for Shopware exposes Adminer UI without authentication, allowing unauthenticated database access.

Vulnerability

Description

The FroshAdminer plugin for Shopware Platform, prior to version 2.2.1, exposes the Adminer database management UI at the /admin/adminer route without requiring authentication [1]. The route was configured with auth_required=false in its Symfony attribute, and the index() method performed no session validation, allowing any user to access the Adminer interface without being logged into the Shopware administration panel [1][4].

Exploitation

An attacker can access the Adminer route directly without any authentication. The commit that fixes the issue shows that the login method sets $_SESSION['frosh_adminer_authenticated'] = true after successful authentication, and the index method now checks for this session variable, returning HTTP 403 if absent [4]. Prior to the fix, an attacker could navigate to /admin/adminer and gain full access to Adminer's database management capabilities.

Impact

A successful attacker can interact with the underlying database through the Adminer interface without any previous authentication to the Shopware platform. This includes viewing, modifying, or deleting database records, which can lead to complete compromise of the Shopware application and its data [1].

Mitigation

The vulnerability is fixed in FroshAdminer version 2.2.1, released on the same date of the CVE publication [2]. Users should update to the latest version immediately. No workarounds are mentioned in the advisory.

References
  1. NVD - CVE-2026-25878
  2. Release 2.2.1 · FriendsOfShopware/FroshPlatformAdminer
  3. fix: require authenticated session before loading Adminer UI (#32) · FriendsOfShopware/FroshPlatformAdminer@c4dd6c3

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
frosh/adminer-platformPackagist
< 2.2.12.2.1

Affected products

2

Patches

1
c4dd6c3462af

fix: require authenticated session before loading Adminer UI (#32)

https://github.com/FriendsOfShopware/FroshPlatformAdminerAlexander WolfFeb 7, 2026via ghsa
commit
2 files changed · +11 2
  • composer.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
     "name": "frosh/adminer-platform",
-    "version": "2.2.0",
+    "version": "2.2.1",
     "type": "shopware-platform-plugin",
     "keywords": ["adminer", "shopware", "frosh"],
     "description": "Adminer for Shopware",
  • src/Controller/AdminerController.php+10 1 modified
    @@ -25,6 +25,7 @@ public function login(Request $request): JsonResponse
 
         header_remove('Set-Cookie');
         $_SESSION["token"] = rand(1, 1e6);
+        $_SESSION['frosh_adminer_authenticated'] = true;
 
         $_SESSION["dbs"]['server'][$credentials['host']][$credentials['user']] = [
             $credentials['path']
@@ -51,7 +52,15 @@ public function login(Request $request): JsonResponse
     #[Route(path: '/%shopware_administration.path_name%/adminer', name: 'administration.frosh_adminer', defaults: ['auth_required' => false, '_routeScope' => ['administration']], methods: ['GET', 'POST'])]
     public function index(): Response
     {
-        chdir(__DIR__ . '/../Adminer');;
+        session_cache_limiter('');
+        session_name('adminer_sid');
+        session_start();
+
+        if (empty($_SESSION['frosh_adminer_authenticated'])) {
+            return new Response('Forbidden', Response::HTTP_FORBIDDEN);
+        }
+
+        chdir(__DIR__ . '/../Adminer');
         unset($_POST['auth']);
         require __DIR__ . '/../Adminer/Adminer.php';
         return new Response('');

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.