CVE
CVE-2026-31887
Shopware: Unauthenticated data extraction possible through store-api.order endpoint
Summary
An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint.
Details
Data Exposure
Depending on the order payload configuration, attackers may retrieve:
- Customer names
- Billing address
- Shipping address
- Email addresses
- Ordered products
- Order values
- Order numbers
- Order dates
- Payment method information
- Shipping method information
- More customs, depending on the given associations in the request
Security Impact
This vulnerability allows:
- Unauthorized access to foreign customer order data
- Mass enumeration of recent orders
- Potential scraping of customer personal information
Limitation
No limitation, but only orders from the past 30 days are checked for changeable means of payment (unrelated).
Impact
The code is present since ~2021. Likely every version since then is impacted for every store.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.9
-
4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584, https://nvd.nist.gov/vuln/detail/CVE-2026-31887, https://github.com/shopware/shopware
Basic Information
Ecosystem
