Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.9
Shopware: Attackers can steal customer order data without a password
CVE-2026-31887
GHSA-7vvp-j573-5584
Summary
Shopware's store-api.order endpoint doesn't properly check customer access, allowing unauthorized access to other customers' orders. This could lead to the theft of sensitive information such as names, addresses, and order details. Shopware stores should update to the latest version to fix this issue.
What to do
- Update shopware core to version 6.7.8.1.
- Update shopware core to version 6.6.10.15.
- Update shopware platform to version 6.7.8.1.
- Update shopware platform to version 6.6.10.15.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| shopware | core | > 6.7.0.0 , <= 6.7.8.1 | 6.7.8.1 |
| shopware | core | <= 6.6.10.15 | 6.6.10.15 |
| shopware | platform | > 6.7.0.0 , <= 6.7.8.1 | 6.7.8.1 |
| shopware | platform | <= 6.6.10.15 | 6.6.10.15 |
Original title
Shopware: Unauthenticated data extraction possible through store-api.order endpoint
Original description
### Summary
An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the `deepLinkCode` support on the `store-api.order` endpoint.
### Details
#### Data Exposure
Depending on the order payload configuration, attackers may retrieve:
- Customer names
- Billing address
- Shipping address
- Email addresses
- Ordered products
- Order values
- Order numbers
- Order dates
- Payment method information
- Shipping method information
- More customs, depending on the given associations in the request
#### Security Impact
This vulnerability allows:
- Unauthorized access to foreign customer order data
- Mass enumeration of recent orders
- Potential scraping of customer personal information
#### Limitation
No limitation, but only orders from the past 30 days are checked for changeable means of payment (unrelated).
### Impact
The code is present since ~2021. Likely every version since then is impacted for every store.
An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the `deepLinkCode` support on the `store-api.order` endpoint.
### Details
#### Data Exposure
Depending on the order payload configuration, attackers may retrieve:
- Customer names
- Billing address
- Shipping address
- Email addresses
- Ordered products
- Order values
- Order numbers
- Order dates
- Payment method information
- Shipping method information
- More customs, depending on the given associations in the request
#### Security Impact
This vulnerability allows:
- Unauthorized access to foreign customer order data
- Mass enumeration of recent orders
- Potential scraping of customer personal information
#### Limitation
No limitation, but only orders from the past 30 days are checked for changeable means of payment (unrelated).
### Impact
The code is present since ~2021. Likely every version since then is impacted for every store.
nvd CVSS4.0
8.9
Vulnerability type
CWE-863
Incorrect Authorization
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026