Shopware unauthenticated data extraction possible through store-api.order endpoint
Description
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Shopware 6 fails to validate filter types on the store-api.order endpoint, letting unauthenticated attackers view any customer's orders and personal data.
Summary
An insufficient check on the filter types for unauthenticated customers in Shopware 6 allows access to orders of other customers. This vulnerability resides in the deepLinkCode support on the store-api.order endpoint.
Root
Cause
The code does not properly restrict filter types when an unauthenticated request is made via the deepLinkCode mechanism on the order endpoint [1]. As a result, an attacker can query order data for any customer without authentication.
Exploitation
An unauthenticated attacker can send crafted requests to the store-api.order endpoint that bypass the intended access controls. No special privileges or prior knowledge beyond the endpoint URL is required. The deepLinkCode functionality is meant to allow limited order lookups, but the insufficient filter check enables broader data retrieval.
Impact
A successful exploit can expose a wide range of sensitive customer data, including names, billing and shipping addresses, email addresses, ordered products, order values, order numbers, order dates, payment method details, and shipping method information [3]. This could lead to privacy breaches, identity theft, or targeted phishing attacks. The vulnerability affects versions prior to 6.7.8.1 and 6.6.10.15, and the code has been present since roughly 2021 [3].
Mitigation
Shopware has addressed the issue in versions 6.7.8.1 and 6.6.10.15 [1]. Users are strongly advised to update to these or later versions. No workarounds have been publicly released.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shopware/corePackagist | >= 6.7.0.0, < 6.7.8.1 | 6.7.8.1 |
shopware/corePackagist | < 6.6.10.15 | 6.6.10.15 |
shopware/platformPackagist | >= 6.7.0.0, < 6.7.8.1 | 6.7.8.1 |
shopware/platformPackagist | < 6.6.10.15 | 6.6.10.15 |
Affected products
3- shopware/corev5Range: >= 6.7.0.0, < 6.7.8.1
- shopware/platformv5Range: >= 6.7.0.0, < 6.7.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-7vvp-j573-5584ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31887ghsaADVISORY
- github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.