Shopware has user enumeration via distinct error codes on Store API login endpoint
Description
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Shopware Store API login endpoint leaks valid customer emails via distinct error codes, enabling unauthenticated user enumeration.
Vulnerability
The Store API login endpoint (POST /store-api/account/login) in Shopware versions prior to 6.7.8.7.1 and 6.6.10.15 returns different error codes depending on whether the submitted email address belongs to a registered. If the email is unknown, a CustomerNotFoundException with code CHECKOUT__CUSTOMER_NOT_FOUND is thrown, and the response echoes the probed email. If the email exists but the password is wrong, a BadCredentialsException with CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS is returned [1][2]. This observable response discrepancy (CWE-204) allows an unauthenticated attacker to identify which email addresses belong to valid customer accounts.
Exploitation
The difference originates in AccountService::getCustomerByLogin() which calls getCustomerByEmail() first, catching two distinct exception types [1]. The attacker simply sends login requests with different email addresses and observes the error code in the JSON response; no authentication required. No authenticated session is required, making the attack lightweight and automated [2]. The storefront login controller correctly unifies both error paths, but the Store API does not, indicating an inconsistent defense [1][2].
Impact
By enumerating valid customer accounts, an attacker can build a list of active users on a Shopware instance. This information can be used for targeted phishing, credential stuffing, or social engineering campaigns. The attack does not compromise the account itself, but leaks sensitive information about the user base [1][2].
Mitigation
The vulnerability is fixed in Shopware versions 6.7.8.1 and 6.6.10.15 [1][2]. Users should upgrade to these versions or later. No workaround is mentioned; a full patch is required to unify the error codes [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shopware/platformPackagist | >= 6.7.0.0, < 6.7.8.1 | 6.7.8.1 |
shopware/platformPackagist | < 6.6.10.14 | 6.6.10.14 |
shopware/corePackagist | >= 6.7.0.0, < 6.7.8.1 | 6.7.8.1 |
shopware/corePackagist | < 6.6.10.15 | 6.6.10.15 |
Affected products
3- shopware/corev5Range: >= 6.7.0.0, < 6.7.8.1
- shopware/platformv5Range: >= 6.7.0.0, < 6.7.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-gqc5-xv7m-gcjqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31888ghsaADVISORY
- github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.