Main Vulnerability Database Vulnerabilities #VU131954

Missing Authorization in Shopware - #VU131954

Published: May 20, 2026

Vulnerability identifier: #VU131954

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Shopware

Affected software:
Shopware

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to missing authorization in the Sync API integration write path when handling crafted Sync API requests to create integrations. A remote privileged user can create an integration with the admin field set to true via POST /api/_action/sync to escalate privileges.

The dedicated integration endpoint applies an admin check, but the Sync API writes directly through the DAL EntityWriter, and the integration entity definition lacks write protection on the admin field.

Remediation

Install security update from vendor's website.

Sources

https://github.com/shopware/shopware/security/advisories/GHSA-gv8p-48fr-4fxg

Missing Authorization in Shopware - #VU131954

Detailed vulnerability description

Remediation

Sources

Please verify you're human