Information Exposure Through Timing Discrepancy in Shopware - #VU131956
Published: May 20, 2026
Vulnerability identifier: #VU131956
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-208
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Shopware
Affected software:
Shopware
Shopware
Detailed vulnerability description
The vulnerability allows a remote attacker to enumerate administrator usernames.
The vulnerability exists due to observable timing discrepancy in getUserEntityByUserCredentials() in src/Core/Framework/Api/OAuth/UserRepository.php when handling authentication requests to api/oauth/token. A remote attacker can send authentication requests and measure response times to enumerate administrator usernames.
The issue occurs because requests for nonexistent usernames return earlier than requests for existing usernames that reach password verification.
Remediation
Install security update from vendor's website.