CVE-2026-31887

UNKNOWN 0.0

Shopware unauthenticated data extraction possible through store-api.order endpoint

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.

CWE	CWE-863
Vendor	shopware
Product	core
Published	Mar 11, 2026
Last Updated	Mar 12, 2026

Stay Ahead of the Next One

Get instant alerts for shopware core

Be the first to know when new unknown vulnerabilities affecting shopware core are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

shopware / core

>= 6.7.0.0, < 6.7.8.1 < 6.6.10.15

shopware / platform

>= 6.7.0.0, < 6.7.8.1 < 6.6.10.15

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584