CVE-2026-31889 - Vulnerability Analysis
HighCVSS: 8.9Last Updated: March 12, 2026
Shopware - Authentication Bypass
Published: March 11, 2026Updated: March 12, 2026Remote Exploitable
Overview
Shopware < 6.6.10.15 and < 6.7.8.1 contains a broken authentication caused by insufficient binding of shop installation to original domain in app registration flow, letting attackers hijack app communication and obtain API credentials, exploit requires possession of app-side secret.
Severity & Score
Severity: High
CVSS Score: 8.9
Impact
Attackers can hijack app communication and obtain API credentials, leading to unauthorized access to shop data and operations.
Mitigation
Update to versions 6.6.10.15 and 6.7.8.1 or later.
Related Resources
Details
- CVE ID
- CVE-2026-31889
- Severity
- High
- CVSS Score
- 8.9
- Type
- broken_authentication
- Status
- unconfirmed
CWE
- CWE-290
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L