What is CVE-2026-31888?

CVE-2026-31888 is a medium-severity vulnerability in Shopware Core, classified under Observable Response Discrepancy. CVSS score: 5.3/10. Published 2026-03-11.

How severe is CVE-2026-31888?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Shopware Core

CVE-2026-31888

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered cust…

EPSS: 0.001 (17.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Shopware Core — versions >= 6.7.0.0, < 6.7.8.1, < 6.6.10.15
Shopware Platform — versions >= 6.7.0.0, < 6.7.8.1, < 6.6.10.14

Weakness classification (CWE)

CWE-204 — Observable Response Discrepancy

References

https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-31888?: CVE-2026-31888 is a medium-severity vulnerability in Shopware Core, classified under Observable Response Discrepancy. CVSS score: 5.3/10. Published 2026-03-11.
How severe is CVE-2026-31888?: Medium severity. CVSS v3 base score is 5.3 out of 10.