← Back

CVE-2026-31888

nvd nist
Published: Mar 11, 2026Modified: Mar 16, 2026

JSON object

Loading...
5.3
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Exploitability: 3.9 / Impact: 1.4
Source: security-advisories@github.com (Secondary)

Description

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.

Affected (2)

Products: Shopware: Shopware
Shopware
1 product
Shopware
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Shopware
Shopware
Before 6.6.10.15
Shopware
From 6.7.0.0 to 6.7.8.1

Related CWEs

CWE-204
Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References (1)

Source: security-advisories@github.com
Vendor Advisory

Timeline

No history available yet.