Auth bypass in Shopware Core

CVE-2026-31887

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the stor…

Vulnerability class: Broken Access Control

EPSS: 0.001 (15.9th percentile) — read the EPSS interpretation.

Affected products

Shopware Core — versions >= 6.7.0.0, < 6.7.8.1, < 6.6.10.15
Shopware Platform — versions >= 6.7.0.0, < 6.7.8.1, < 6.6.10.15

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584 (x_refsource_CONFIRM)