Improper access control in Shopware - #VU131937
Published: April 12, 2021 / Updated: May 20, 2026
Shopware
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in web root file exposure when serving requests with the project root configured as the web root instead of /public. A remote attacker can request sensitive files such as .env to disclose sensitive information.
Exposure occurs only when the project root is configured as the web root instead of /public.