๐Ÿ” CVE Alert

CVE-2026-48010

MEDIUM 6.5

Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser() in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEM_SCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission can set admin: true on new or existing users; IntegrationController::upsertIntegration() contains an isAdmin() check for the same field, but UserController was missing this check. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

CWE CWE-269
Vendor shopware
Product shopware
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for shopware shopware

Be the first to know when new medium vulnerabilities affecting shopware shopware are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

shopware / shopware
< 6.6.10.18 >= 6.7.0.0, < 6.7.10.1
shopware / platform
< 6.6.10.18 >= 6.7.0.0, < 6.7.10.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/shopware/shopware/security/advisories/GHSA-v39m-97p8-gqg7 github.com: https://github.com/shopware/shopware/commit/7f1cef324ca4edfa6369264cc1c41287d032624d github.com: https://github.com/shopware/shopware/commit/d8d9a34a9255abf69c2798015a17cd6a80b08c25 github.com: https://github.com/shopware/shopware/releases/tag/v6.6.10.18 github.com: https://github.com/shopware/shopware/releases/tag/v6.7.10.1