CVE-2026-31888

Source
https://cve.org/CVERecord?id=CVE-2026-31888
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31888.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31888
Aliases
Published
2026-03-11T18:53:03.018Z
Modified
2026-03-14T13:48:58.165756Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Shopware has user enumeration via distinct error codes on Store API login endpoint
Details

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUTCUSTOMERAUTHBAD_CREDENTIALS) or is unknown (CHECKOUTCUSTOMERNOTFOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.

Database specific
{
    "cwe_ids": [
        "CWE-204"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31888.json"
}
References

Affected packages

Git / github.com/shopware/shopware

Affected ranges

Type
GIT
Repo
https://github.com/shopware/shopware
Events
Database specific
{
    "versions": [
        {
            "introduced": "6.7.0.0"
        },
        {
            "fixed": "6.7.8.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/shopware/shopware
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.6.10.15"
        },
        {
            "fixed": "6.6.10.14"
        }
    ]
}

Affected versions

v6.*
v6.0.0+dp1
v6.0.0+ea1
v6.0.0+ea1.1
v6.0.0+ea2
v6.1.0
v6.1.0-rc1
v6.1.0-rc2
v6.1.0-rc3
v6.1.0-rc4
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.2.0
v6.2.0-RC1
v6.2.1
v6.2.2
v6.2.3
v6.3.0.0
v6.3.0.1
v6.3.0.2
v6.3.3.0
v6.3.3.1
v6.3.4.1
v6.3.5.0
v6.4.1.0
v6.4.1.1
v6.4.1.2
v6.4.10.0
v6.4.10.1
v6.4.11.0
v6.4.11.1
v6.4.13.0
v6.4.14.0
v6.4.15.0
v6.4.15.1
v6.4.15.2
v6.4.16.0
v6.4.16.1
v6.4.17.0
v6.4.17.1
v6.4.17.2
v6.4.3.0
v6.4.3.1
v6.4.4.0
v6.4.4.1
v6.4.5.0
v6.4.5.1
v6.4.6.0
v6.4.6.1
v6.4.8.0
v6.4.8.1
v6.4.8.2
v6.4.9.0
v6.5.0.0
v6.5.0.0-rc1
v6.5.0.0-rc2
v6.5.0.0-rc3
v6.5.0.0-rc4
v6.5.1.0
v6.5.1.1
v6.5.2.0
v6.5.3.0
v6.5.3.1
v6.5.3.2
v6.5.3.3
v6.5.4.0
v6.5.5.0
v6.5.5.1
v6.5.5.2
v6.6.10.12
v6.6.10.13
v6.6.10.4
v6.6.10.5
v6.6.10.6
v6.6.10.8
v6.6.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31888.json"