CVE-2026-48009
Severity CVSS v4.0:
Pending analysis
Type:
CWE-200
Information Leak / Disclosure
Publication date:
17/07/2026
Last modified:
17/07/2026
Description
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with user_recovery:read ACL can take over any admin account by triggering POST /api/_action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PATCH /api/_action/user/user-recovery/password; the root cause is that src/Core/System/User/Recovery/UserRecoveryDefinition.php exposes the hash field through the Admin API without ApiAware(false) or ReadProtection. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.
Impact
Base Score 3.x
6.80
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/shopware/shopware/commit/06f8b9aa4fecb239a2ff33a6546192d7ce7ed0f8
- https://github.com/shopware/shopware/commit/9ef4873f810e26fb38da051624f7f2720139279a
- https://github.com/shopware/shopware/commit/d82c23d8d5b22dd722c8f76c4f66785d1a7a72d8
- https://github.com/shopware/shopware/releases/tag/v6.6.10.18
- https://github.com/shopware/shopware/releases/tag/v6.7.10.1
- https://github.com/shopware/shopware/security/advisories/GHSA-8v9p-g828-v98f



