๐Ÿ” CVE Alert

CVE-2026-48008

MEDIUM 6.5

Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/_action/sync; the regular integration endpoint POST /api/integration blocks this, but SyncController::sync() routes writes through SyncService to EntityWriter::upsert(), and src/Core/Framework/Integration/IntegrationDefinition.php lacks WriteProtection on the admin field. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

CWE CWE-862
Vendor shopware
Product shopware
Published Jul 17, 2026
Last Updated Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for shopware shopware

Be the first to know when new medium vulnerabilities affecting shopware shopware are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

shopware / shopware
< 6.6.10.18 >= 6.7.0.0, < 6.7.10.1
shopware / platform
< 6.6.10.18 >= 6.7.0.0, < 6.7.10.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/shopware/shopware/security/advisories/GHSA-gv8p-48fr-4fxg github.com: https://github.com/shopware/shopware/commit/1e047f6d7fd9129271e28c1c9f1c272983c6f48f github.com: https://github.com/shopware/shopware/commit/db5adff33ec30b648979cd1938c87f164f7b3073 github.com: https://github.com/shopware/shopware/releases/tag/v6.6.10.18 github.com: https://github.com/shopware/shopware/releases/tag/v6.7.10.1