CVE-2026-39250

Vulnerability

Innoshop 0.6.0 uses Laravel Sanctum for API token authentication but does not enforce a provider-specific check on backend routes defined in innopacks/restapi/routes/panel-api.php. The auth:sanctum middleware only verifies that the token is valid and the associated model implements HasApiTokens; it does not distinguish between a frontend Customer token and an admin token. As a result, any valid frontend token can be used to access backend application interfaces [1][2].

Exploitation

An attacker registers an account on the frontend and logs in to obtain a Sanctum token. The token is then included in the Authorization: Bearer header when making requests to backend API endpoints. No additional authentication or authorization checks are performed, allowing the attacker to directly call interfaces such as retrieving all frontend user information or editing template files [2].

Impact

Successful exploitation results in unauthorized access to backend functionality, leading to information disclosure (e.g., full user database) and potential modification of system templates. The attacker effectively escalates privileges from a standard frontend user to an administrative-level role, compromising the confidentiality and integrity of the application [2].

Mitigation

As of the publication date (2026-05-19), no official patch has been released for Innoshop 0.6.0. The vendor has not disclosed a fixed version or workaround. Administrators should monitor the official Innoshop repository for updates and consider implementing custom middleware that validates the token's intended guard or provider before granting access to backend routes [1][2].