CVE-2026-32142

Vulnerability

Description

CVE-2026-32142 is an information disclosure vulnerability in the Shopware open commerce platform. The /api/_info/config REST API endpoint exposes sensitive details about the system's licenses without requiring any form of authentication [1]. This misconfiguration allows a remote attacker to obtain licensing information that is otherwise intended to be restricted.

Exploitation

The attack vector is network-based, requires no privileges, and involves no user interaction [1]. An attacker can simply send a GET request to the /api/_info/config route to retrieve the exposed data. The vulnerability is classified with low attack complexity, making it trivial for anyone with network access to the application to exploit [1].

Impact

This flaw only affects the confidentiality of the system; there is no impact on integrity or availability [1]. Leaked licensing information could potentially be used in further targeted attacks or to assess the scope of the deployed licenses, but the primary risk is unauthorized exposure of internal configuration data.

Mitigation

The vendor has released patches in version 7.8.1 for the 7.x branch and version 6.10.15 for the 6.x branch [1]. All users are advised to upgrade immediately. No workarounds have been documented, but restricting network access to the /api/ endpoints could mitigate exposure until the patch can be applied.