Main Vulnerability Database Vulnerabilities #VU131952

Authorization bypass through user-controlled key in Shopware - #VU131952

Published: May 20, 2026

Vulnerability identifier: #VU131952

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Shopware

Affected software:
Shopware

Detailed vulnerability description

The vulnerability allows a remote user to trigger payment attempts for another user's order.

The vulnerability exists due to improper access control in /store-api/handle-payment when processing a user-supplied orderId. A remote user can submit a foreign orderId to trigger payment attempts for another user's order.

Guest context is sufficient, and the issue affects payment initiation and retry flows for orders not owned by the caller.

Remediation

Install security update from vendor's website.

Sources

https://github.com/shopware/shopware/security/advisories/GHSA-9v5m-39wh-5chq

Authorization bypass through user-controlled key in Shopware - #VU131952

Detailed vulnerability description

Remediation

Sources

Please verify you're human