Fluid Attacks Database

Description

Shopware: Unauthenticated data extraction possible through store-api.order endpoint

Summary

An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint.

Details

Data Exposure

Depending on the order payload configuration, attackers may retrieve:

Customer names

Billing address

Shipping address

Email addresses

Ordered products

Order values

Order numbers

Order dates

Payment method information

Shipping method information

More customs, depending on the given associations in the request

Security Impact

This vulnerability allows:

Unauthorized access to foreign customer order data

Mass enumeration of recent orders

Potential scraping of customer personal information

Limitation

No limitation, but only orders from the past 30 days are checked for changeable means of payment (unrelated).

Impact

The code is present since ~2021. Likely every version since then is impacted for every store.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	shopware/core	>=6.7.0.0 <6.7.8.1 \|\| >=0 <6.6.10.15	6.7.8.1, 6.6.10.15
packagist	shopware/platform	>=6.7.0.0 <6.7.8.1 \|\| >=0 <6.6.10.15	6.7.8.1, 6.6.10.15

Aliases

1. CVE-2026-318872. NVD-2026-318873. OSV-2026-318874. GHSA-7vvp-j573-55845. GCVE-2026-31887

References

1. https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.