CVE-2026-31888

EPSS 0.05%
Veröffentlicht 11.03.2026 18:53:03
Zuletzt bearbeitet 16.03.2026 20:37:21
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Shopware ≫ Shopware Version < 6.6.10.15

Shopware ≫ Shopware Version >= 6.7.0.0 < 6.7.8.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.164

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-204 Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-31888

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31888

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31888

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-31888