CVE-2026-31888

MEDIUM 5.3

Shopware has user enumeration via distinct error codes on Store API login endpoint

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.

CWE	CWE-204
Vendor	shopware
Product	core
Published	Mar 11, 2026
Last Updated	Mar 12, 2026

Stay Ahead of the Next One

Get instant alerts for shopware core

Be the first to know when new medium vulnerabilities affecting shopware core are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

shopware / core

>= 6.7.0.0, < 6.7.8.1 < 6.6.10.15

shopware / platform

>= 6.7.0.0, < 6.7.8.1 < 6.6.10.14

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq