Main Vulnerability Database Vulnerabilities #VU131955

Information disclosure in Shopware - #VU131955

Published: May 20, 2026

Vulnerability identifier: #VU131955

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Shopware

Affected software:
Shopware

Detailed vulnerability description

The vulnerability allows a remote user to take over any admin account.

The vulnerability exists due to exposure of sensitive information in the user_recovery entity hash field via the Admin API search endpoint when processing user recovery records through POST /api/search/user-recovery. A remote user can trigger password recovery for a victim account, read the recovery hash, and submit it to the password reset endpoint to take over any admin account.

The issue depends on combining an authenticated read of the recovery hash with unauthenticated password recovery trigger and password reset endpoints.

Remediation

Install security update from vendor's website.

Sources

https://github.com/shopware/shopware/security/advisories/GHSA-8v9p-g828-v98f

Information disclosure in Shopware - #VU131955

Detailed vulnerability description

Remediation

Sources

Please verify you're human