CVE-2026-48009
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-200
Revelación de información
Fecha de publicación:
17/07/2026
Última modificación:
17/07/2026
Descripción
*** Pendiente de traducción *** Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with user_recovery:read ACL can take over any admin account by triggering POST /api/_action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PATCH /api/_action/user/user-recovery/password; the root cause is that src/Core/System/User/Recovery/UserRecoveryDefinition.php exposes the hash field through the Admin API without ApiAware(false) or ReadProtection. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.
Impacto
Puntuación base 3.x
6.80
Gravedad 3.x
MEDIA
Referencias a soluciones, herramientas e información
- https://github.com/shopware/shopware/commit/06f8b9aa4fecb239a2ff33a6546192d7ce7ed0f8
- https://github.com/shopware/shopware/commit/9ef4873f810e26fb38da051624f7f2720139279a
- https://github.com/shopware/shopware/commit/d82c23d8d5b22dd722c8f76c4f66785d1a7a72d8
- https://github.com/shopware/shopware/releases/tag/v6.6.10.18
- https://github.com/shopware/shopware/releases/tag/v6.7.10.1
- https://github.com/shopware/shopware/security/advisories/GHSA-8v9p-g828-v98f



