Improper access control in Shopware - CVE-2022-24745
Published: March 9, 2022 / Updated: May 19, 2026
Shopware
Detailed vulnerability description
The vulnerability allows a remote attacker to access another customer's guest session data.
The vulnerability exists due to improper access control in the guest session handling logic when HTTP cache is enabled. A remote attacker can send requests that reuse a shared guest session to access another customer's guest session data.
Only installations with HTTP cache enabled are vulnerable. Setups using Varnish are not affected.