GHSA-8v9p-g828-v98f

Suggest an improvement
Source
https://github.com/advisories/GHSA-8v9p-g828-v98f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-8v9p-g828-v98f/GHSA-8v9p-g828-v98f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8v9p-g828-v98f
Aliases
  • CVE-2026-48009
Published
2026-06-04T19:27:15Z
Modified
2026-06-04T19:30:16.284410781Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Shopware: Admin Account Takeover via User Recovery Hash Exposure
Details

Summary

A low-privilege admin user with user_recovery:read ACL can take over any admin account. The attacker triggers password recovery for the victim (unauthenticated endpoint), reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the victim's password (another unauthenticated endpoint). The recovery hash — intended to be secret and delivered only via email — is fully readable through the standard entity search API.

OWASP: A01:2021 — Broken Access Control

Root Cause

The user_recovery entity exposes its hash field through the Admin API search endpoint (POST /api/search/user-recovery). The hash field lacks ApiAware(false) or ReadProtection, so any user with user_recovery:read ACL can read it.

The password recovery flow assumes the hash is delivered exclusively via email. The Admin API provides an alternative channel to obtain it, breaking this assumption.

Three endpoints combine to form the attack:

  1. POST /api/_action/user/user-recovery — triggers recovery, creates hash in DB (no auth required)
  2. POST /api/search/user-recovery — reads the hash (requires only user_recovery:read ACL)
  3. PATCH /api/_action/user/user-recovery/password — resets password using hash (no auth required)

Vulnerable code: - src/Core/System/User/Recovery/UserRecoveryDefinition.phphash field is ApiAware with no ReadProtection

Impact

  • Full admin account takeover — attacker gains the highest privilege level in the system
  • All admin capabilities — user/role management, system configuration, plugin management, customer data access
  • Cascading compromise — taken-over admin account can be used to pivot to other attacks
  • Low barrieruser_recovery:read is a seemingly harmless permission that grants devastating access

Remediation

Remove the hash field from API responses:

// src/Core/System/User/Recovery/UserRecoveryDefinition.php
(new StringField('hash', 'hash'))
    ->addFlags(new Required(), new ApiAware(false)),
Database specific 
{
    "nvd_published_at": null,
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2026-06-04T19:27:15Z",
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

Packagist / shopware/platform

Package

Name
shopware/platform
Purl
pkg:composer/shopware%2Fplatform

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.7.0.0
Fixed
6.7.10.1

Affected versions

v6.*
v6.7.0.0
v6.7.0.1
v6.7.1.0
v6.7.1.1
v6.7.1.2
v6.7.2.0
v6.7.2.1
v6.7.2.2
v6.7.3.0
v6.7.3.1
v6.7.4.0
v6.7.4.1
v6.7.4.2
v6.7.5.0
v6.7.5.1
v6.7.6.0
v6.7.6.1
v6.7.6.2
v6.7.7.0
v6.7.7.1
v6.7.8.0
v6.7.8.1
v6.7.8.2
v6.7.9.0
v6.7.9.1
v6.7.10.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-8v9p-g828-v98f/GHSA-8v9p-g828-v98f.json"

Packagist / shopware/platform

Package

Name
shopware/platform
Purl
pkg:composer/shopware%2Fplatform

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.10.18

Affected versions

v6.*
v6.0.0+ea2
v6.1.0-rc1
v6.1.0-rc2
v6.1.0-rc3
v6.1.0-rc4
v6.1.0
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.2.0-RC1
v6.2.0
v6.2.1
v6.2.2
v6.2.3
v6.5.1.0
v6.5.1.1
v6.5.2.0
v6.5.2.1
v6.5.3.0
v6.5.3.1
v6.5.3.2
v6.5.3.3
v6.5.4.0
v6.5.4.1
v6.5.5.0
v6.5.5.1
v6.5.5.2
v6.5.6.0
v6.5.6.1
v6.5.7.0
v6.5.7.1
v6.5.7.2
v6.5.7.3
v6.5.7.4
v6.5.8.0
v6.5.8.1
v6.5.8.2
v6.5.8.3
v6.5.8.4
v6.5.8.5
v6.5.8.6
v6.5.8.7
v6.5.8.8
v6.5.8.9
v6.5.8.10
v6.5.8.11
v6.5.8.12
v6.5.8.13
v6.5.8.14
v6.5.8.15
v6.5.8.16
v6.5.8.17
v6.5.8.18
v6.5.8.19
v6.6.0.0-rc1
v6.6.0.0-rc2
v6.6.0.0-rc3
v6.6.0.0-rc4
v6.6.0.0-rc5
v6.6.0.0-rc6
v6.6.0.0-rc7
v6.6.0.0
v6.6.0.1
v6.6.0.2
v6.6.0.3
v6.6.1.0
v6.6.1.1
v6.6.1.2
v6.6.2.0
v6.6.3.0
v6.6.3.1
v6.6.4.0
v6.6.4.1
v6.6.5.0
v6.6.5.1
v6.6.6.0
v6.6.6.1
v6.6.7.0
v6.6.7.1
v6.6.8.0
v6.6.8.1
v6.6.8.2
v6.6.9.0
v6.6.10.0
v6.6.10.1
v6.6.10.2
v6.6.10.3
v6.6.10.4
v6.6.10.5
v6.6.10.6
v6.6.10.7
v6.6.10.8
v6.6.10.9
v6.6.10.10
v6.6.10.11
v6.6.10.12
v6.6.10.13
v6.6.10.14
v6.6.10.15
v6.6.10.16
v6.6.10.17
6.*
6.3.0.0
6.3.0.1
6.3.0.2
6.3.1.0
6.3.1.1
6.3.2.0
6.3.2.1
6.3.3.0
6.3.3.1
6.3.4.0
6.3.4.1
6.3.5.0
6.3.5.1
6.3.5.2
6.3.5.3
6.3.5.4
6.4.0.0-RC1
6.4.0.0
6.4.1.0
6.4.1.1
6.4.1.2
6.4.2.0
6.4.2.1
6.4.3.0
6.4.3.1
6.4.4.0
6.4.4.1
6.4.5.0
6.4.5.1
6.4.6.0
6.4.6.1
6.4.7.0
6.4.8.0
6.4.8.1
6.4.8.2
6.4.9.0
6.4.10.0
6.4.10.1
6.4.11.0
6.4.11.1
6.4.12.0
6.4.13.0
6.4.14.0
6.4.15.0
6.4.15.1
6.4.15.2
6.4.16.0
6.4.16.1
6.4.17.0
6.4.17.1
6.4.17.2
6.4.18.0
6.4.18.1
6.4.19.0
6.4.20.0
6.4.20.1
6.4.20.2
6.5.0.0-rc1
6.5.0.0-rc2
6.5.0.0-rc3
6.5.0.0-rc4
6.5.0.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-8v9p-g828-v98f/GHSA-8v9p-g828-v98f.json"

Packagist / shopware/core

Package

Name
shopware/core
Purl
pkg:composer/shopware%2Fcore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.7.0.0
Fixed
6.7.10.1

Affected versions

v6.*
v6.7.0.0
v6.7.0.1
v6.7.1.0
v6.7.1.1
v6.7.1.2
v6.7.2.0
v6.7.2.1
v6.7.2.2
v6.7.3.0
v6.7.3.1
v6.7.4.0
v6.7.4.1
v6.7.4.2
v6.7.5.0
v6.7.5.1
v6.7.6.0
v6.7.6.1
v6.7.6.2
v6.7.7.0
v6.7.7.1
v6.7.8.0
v6.7.8.1
v6.7.8.2
v6.7.9.0
v6.7.9.1
v6.7.10.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-8v9p-g828-v98f/GHSA-8v9p-g828-v98f.json"

Packagist / shopware/core

Package

Name
shopware/core
Purl
pkg:composer/shopware%2Fcore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.10.18

Affected versions

v6.*
v6.0.0+ea2
v6.1.0-rc1
v6.1.0-rc2
v6.1.0-rc3
v6.1.0-rc4
v6.1.0
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.2.0-RC1
v6.2.0
v6.2.1
v6.2.2
v6.2.3
v6.5.1.0
v6.5.1.1
v6.5.2.0
v6.5.2.1
v6.5.3.0
v6.5.3.1
v6.5.3.2
v6.5.3.3
v6.5.4.0
v6.5.4.1
v6.5.5.0
v6.5.5.1
v6.5.5.2
v6.5.6.0
v6.5.6.1
v6.5.7.0
v6.5.7.1
v6.5.7.2
v6.5.7.3
v6.5.7.4
v6.5.8.0
v6.5.8.1
v6.5.8.2
v6.5.8.3
v6.5.8.4
v6.5.8.5
v6.5.8.6
v6.5.8.7
v6.5.8.8
v6.5.8.9
v6.5.8.10
v6.5.8.11
v6.5.8.12
v6.5.8.13
v6.5.8.14
v6.5.8.15
v6.5.8.16
v6.5.8.17
v6.5.8.18
v6.5.8.19
v6.6.0.0-rc1
v6.6.0.0-rc2
v6.6.0.0-rc3
v6.6.0.0-rc4
v6.6.0.0-rc5
v6.6.0.0-rc6
v6.6.0.0-rc7
v6.6.0.0
v6.6.0.1
v6.6.0.2
v6.6.0.3
v6.6.1.0
v6.6.1.1
v6.6.1.2
v6.6.2.0
v6.6.3.0
v6.6.3.1
v6.6.4.0
v6.6.4.1
v6.6.5.0
v6.6.5.1
v6.6.6.0
v6.6.6.1
v6.6.7.0
v6.6.7.1
v6.6.8.0
v6.6.8.1
v6.6.8.2
v6.6.9.0
v6.6.10.0
v6.6.10.1
v6.6.10.2
v6.6.10.3
v6.6.10.4
v6.6.10.5
v6.6.10.6
v6.6.10.7
v6.6.10.8
v6.6.10.9
v6.6.10.10
v6.6.10.11
v6.6.10.12
v6.6.10.13
v6.6.10.14
v6.6.10.15
v6.6.10.16
v6.6.10.17
6.*
6.3.0.0
6.3.0.1
6.3.0.2
6.3.1.0
6.3.1.1
6.3.2.0
6.3.2.1
6.3.3.0
6.3.3.1
6.3.4.0
6.3.4.1
6.3.5.0
6.3.5.1
6.3.5.2
6.3.5.3
6.3.5.4
6.4.0.0-RC1
6.4.0.0
6.4.1.0
6.4.1.1
6.4.1.2
6.4.2.0
6.4.2.1
6.4.3.0
6.4.3.1
6.4.4.0
6.4.4.1
6.4.5.0
6.4.5.1
6.4.6.0
6.4.6.1
6.4.7.0
6.4.8.0
6.4.8.1
6.4.8.2
6.4.9.0
6.4.10.0
6.4.10.1
6.4.11.0
6.4.11.1
6.4.12.0
6.4.13.0
6.4.14.0
6.4.15.0
6.4.15.1
6.4.15.2
6.4.16.0
6.4.16.1
6.4.17.0
6.4.17.1
6.4.17.2
6.4.18.0
6.4.18.1
6.4.19.0
6.4.20.0
6.4.20.1
6.4.20.2
6.5.0.0-rc1
6.5.0.0-rc2
6.5.0.0-rc3
6.5.0.0-rc4
6.5.0.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-8v9p-g828-v98f/GHSA-8v9p-g828-v98f.json"