CVE-2026-32100
Description
Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Shopware's /api/_info/config route exposes information about active security fixes, allowing attackers to identify unpatched instances.
The vulnerability exists in the /api/_info/config route of Shopware, an open commerce platform. This endpoint exposes information about which security fixes are actively applied in the instance. The issue stems from the route returning details that can be used to infer the patch level of the system [1].
The endpoint is accessible remotely without authentication or user interaction, making it exploitable by any network attacker. The attack complexity is low, requiring no special privileges or user involvement. An attacker can simply make a request to the route to retrieve the information.
The primary impact is a confidentiality breach, as the attacker gains knowledge of the active security fixes. This information can be used to identify unpatched or vulnerable systems, potentially aiding in targeted attacks against known weaknesses. There is no direct impact on integrity or availability.
Shopware has released fixes in versions 2.0.16, 3.0.12, and 4.0.7. Users are advised to upgrade to these versions immediately. Administrators should also consider restricting access to sensitive API routes where possible.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.