Improper access control in Shopware - #VU131935
Published: June 24, 2021 / Updated: May 20, 2026
Shopware
Detailed vulnerability description
The vulnerability allows a remote user to cancel orders belonging to other users.
The vulnerability exists due to improper access control in the order cancellation functionality when handling order cancellation requests. A remote user can submit a cancellation request for an order not related to the logged-in user to cancel orders belonging to other users.