CVE-2026-31887
Shopware: Unauthenticated data extraction possible through store-api.order endpoint
Description
### Summary An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the `deepLinkCode` support on the `store-api.order` endpoint. ### Details #### Data Exposure Depending on the order payload configuration, attackers may retrieve: - Customer names - Billing address - Shipping address - Email addresses - Ordered products - Order values - Order numbers - Order dates - Payment method information - Shipping method information - More customs, depending on the given associations in the request #### Security Impact This vulnerability allows: - Unauthorized access to foreign customer order data - Mass enumeration of recent orders - Potential scraping of customer personal information #### Limitation No limitation, but only orders from the past 30 days are checked for changeable means of payment (unrelated). ### Impact The code is present since ~2021. Likely every version since then is impacted for every store.
How to fix CVE-2026-31887
To remediate CVE-2026-31887, upgrade the affected package to a fixed version below.
- —upgrade to 6.7.8.1 or later
- —upgrade to 6.7.8.1 or later
Is CVE-2026-31887 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 6.7.0.0, < 6.7.8.1
- >= 6.7.0.0, < 6.7.8.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |