CVE-2026-31889 — Authentication Bypass by Spoofing in Core

CWE-290 — Authentication Bypass by Spoofing4 documents4 sources

Severity

8.9HIGHNVD

EPSS

0.1%

top 78.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Core Shopware Platform Shopware

Timeline

PublishedMar 11

Description

Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or …

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:LExploitability: 2.2 | Impact: 6.0

Affected Packages5 packages

▶CVEListV5shopware/platform< 6.6.10.15+1

▶Packagistshopware/platform6.7.0.0 — 6.7.8.1+1

▶CVEListV5shopware/core< 6.6.10.15+1

▶Packagistshopware/core6.7.0.0 — 6.7.8.1+1

▶NVDshopware/shopware6.7.0.0 — 6.7.8.1+1

🔴Vulnerability Details

OSV

Shopware vulnerable to a potential take over of app credentials↗2026-03-11

▶

GHSA

Shopware vulnerable to a potential take over of app credentials↗2026-03-11

▶

🕵️Threat Intelligence

Wiz

CVE-2026-31889 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶