GHSA-v39m-97p8-gqg7

Source

https://github.com/advisories/GHSA-v39m-97p8-gqg7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-v39m-97p8-gqg7/GHSA-v39m-97p8-gqg7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v39m-97p8-gqg7

Aliases

CVE-2026-48010

Published

2026-06-04T19:28:29Z

Modified

2026-06-04T19:30:16.336052137Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

Details

UserController::upsertUser() writes user data in SYSTEM_SCOPE and does not filter the admin field. A non-admin API user with user:create or user:update ACL permission can set admin: true on new or existing users, escalating to full admin access.

The Problem

In src/Core/Framework/Api/Controller/UserController.php, line 210-234:

public function upsertUser(?string $userId, Request $request, Context $context, ResponseFactoryInterface $factory): Response
{
    $data = $request->request->all(); // raw request data, no field filtering
    // ...
    $events = $context->scope(Context::SYSTEM_SCOPE, fn (Context $context) =>
        $this->userRepository->upsert([$data], $context)
    );
}

SYSTEM_SCOPE bypasses AclWriteValidator entirely (line 52 of AclWriteValidator::preValidate() returns early for SYSTEM_SCOPE). The admin boolean field is accepted without restriction.

Compare with IntegrationController::upsertIntegration() in the same codebase, which correctly checks:

if ((!$source instanceof AdminApiSource)
    || (!$source->isAdmin()
    && isset($data['admin']))
) {
    throw new PermissionDeniedException();
}

UserController is missing this exact check.

Impact

Any API user with the low-privilege user:create permission can create accounts with full admin access, or with user:update can promote any existing user to admin. This is a direct privilege escalation.

Suggested Fix

Add the same isAdmin() check from IntegrationController:

$source = $context->getSource();
if ((!$source instanceof AdminApiSource) || (!$source->isAdmin() && isset($data['admin']))) {
    throw new PermissionDeniedException();
}

Best regards, Keyvan Hardani

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-04T19:28:29Z",
    "severity": "MODERATE",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-269"
    ]
}

References

Affected packages

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware%2Fplatform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.7.0.0

Fixed

6.7.10.1

Affected versions

v6.*

v6.7.0.0

v6.7.0.1

v6.7.1.0

v6.7.1.1

v6.7.1.2

v6.7.2.0

v6.7.2.1

v6.7.2.2

v6.7.3.0

v6.7.3.1

v6.7.4.0

v6.7.4.1

v6.7.4.2

v6.7.5.0

v6.7.5.1

v6.7.6.0

v6.7.6.1

v6.7.6.2

v6.7.7.0

v6.7.7.1

v6.7.8.0

v6.7.8.1

v6.7.8.2

v6.7.9.0

v6.7.9.1

v6.7.10.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-v39m-97p8-gqg7/GHSA-v39m-97p8-gqg7.json"

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware%2Fplatform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.10.18

Affected versions

v6.*

v6.0.0+ea2

v6.1.0-rc1

v6.1.0-rc2

v6.1.0-rc3

v6.1.0-rc4

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.2.0-RC1

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.2.1

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.4.1

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.6.0

v6.5.6.1

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.0

v6.5.8.1

v6.5.8.2

v6.5.8.3

v6.5.8.4

v6.5.8.5

v6.5.8.6

v6.5.8.7

v6.5.8.8

v6.5.8.9

v6.5.8.10

v6.5.8.11

v6.5.8.12

v6.5.8.13

v6.5.8.14

v6.5.8.15

v6.5.8.16

v6.5.8.17

v6.5.8.18

v6.5.8.19

v6.6.0.0-rc1

v6.6.0.0-rc2

v6.6.0.0-rc3

v6.6.0.0-rc4

v6.6.0.0-rc5

v6.6.0.0-rc6

v6.6.0.0-rc7

v6.6.0.0

v6.6.0.1

v6.6.0.2

v6.6.0.3

v6.6.1.0

v6.6.1.1

v6.6.1.2

v6.6.2.0

v6.6.3.0

v6.6.3.1

v6.6.4.0

v6.6.4.1

v6.6.5.0

v6.6.5.1

v6.6.6.0

v6.6.6.1

v6.6.7.0

v6.6.7.1

v6.6.8.0

v6.6.8.1

v6.6.8.2

v6.6.9.0

v6.6.10.0

v6.6.10.1

v6.6.10.2

v6.6.10.3

v6.6.10.4

v6.6.10.5

v6.6.10.6

v6.6.10.7

v6.6.10.8

v6.6.10.9

v6.6.10.10

v6.6.10.11

v6.6.10.12

v6.6.10.13

v6.6.10.14

v6.6.10.15

v6.6.10.16

v6.6.10.17

6.*

6.3.0.0

6.3.0.1

6.3.0.2

6.3.1.0

6.3.1.1

6.3.2.0

6.3.2.1

6.3.3.0

6.3.3.1

6.3.4.0

6.3.4.1

6.3.5.0

6.3.5.1

6.3.5.2

6.3.5.3

6.3.5.4

6.4.0.0-RC1

6.4.0.0

6.4.1.0

6.4.1.1

6.4.1.2

6.4.2.0

6.4.2.1

6.4.3.0

6.4.3.1

6.4.4.0

6.4.4.1

6.4.5.0

6.4.5.1

6.4.6.0

6.4.6.1

6.4.7.0

6.4.8.0

6.4.8.1

6.4.8.2

6.4.9.0

6.4.10.0

6.4.10.1

6.4.11.0

6.4.11.1

6.4.12.0

6.4.13.0

6.4.14.0

6.4.15.0

6.4.15.1

6.4.15.2

6.4.16.0

6.4.16.1

6.4.17.0

6.4.17.1

6.4.17.2

6.4.18.0

6.4.18.1

6.4.19.0

6.4.20.0

6.4.20.1

6.4.20.2

6.5.0.0-rc1

6.5.0.0-rc2

6.5.0.0-rc3

6.5.0.0-rc4

6.5.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-v39m-97p8-gqg7/GHSA-v39m-97p8-gqg7.json"

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware%2Fcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.7.0.0

Fixed

6.7.10.1

Affected versions

v6.*

v6.7.0.0

v6.7.0.1

v6.7.1.0

v6.7.1.1

v6.7.1.2

v6.7.2.0

v6.7.2.1

v6.7.2.2

v6.7.3.0

v6.7.3.1

v6.7.4.0

v6.7.4.1

v6.7.4.2

v6.7.5.0

v6.7.5.1

v6.7.6.0

v6.7.6.1

v6.7.6.2

v6.7.7.0

v6.7.7.1

v6.7.8.0

v6.7.8.1

v6.7.8.2

v6.7.9.0

v6.7.9.1

v6.7.10.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-v39m-97p8-gqg7/GHSA-v39m-97p8-gqg7.json"

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware%2Fcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.10.18

Affected versions

v6.*

v6.0.0+ea2

v6.1.0-rc1

v6.1.0-rc2

v6.1.0-rc3

v6.1.0-rc4

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.2.0-RC1

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.2.1

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.4.1

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.6.0

v6.5.6.1

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.0

v6.5.8.1

v6.5.8.2

v6.5.8.3

v6.5.8.4

v6.5.8.5

v6.5.8.6

v6.5.8.7

v6.5.8.8

v6.5.8.9

v6.5.8.10

v6.5.8.11

v6.5.8.12

v6.5.8.13

v6.5.8.14

v6.5.8.15

v6.5.8.16

v6.5.8.17

v6.5.8.18

v6.5.8.19

v6.6.0.0-rc1

v6.6.0.0-rc2

v6.6.0.0-rc3

v6.6.0.0-rc4

v6.6.0.0-rc5

v6.6.0.0-rc6

v6.6.0.0-rc7

v6.6.0.0

v6.6.0.1

v6.6.0.2

v6.6.0.3

v6.6.1.0

v6.6.1.1

v6.6.1.2

v6.6.2.0

v6.6.3.0

v6.6.3.1

v6.6.4.0

v6.6.4.1

v6.6.5.0

v6.6.5.1

v6.6.6.0

v6.6.6.1

v6.6.7.0

v6.6.7.1

v6.6.8.0

v6.6.8.1

v6.6.8.2

v6.6.9.0

v6.6.10.0

v6.6.10.1

v6.6.10.2

v6.6.10.3

v6.6.10.4

v6.6.10.5

v6.6.10.6

v6.6.10.7

v6.6.10.8

v6.6.10.9

v6.6.10.10

v6.6.10.11

v6.6.10.12

v6.6.10.13

v6.6.10.14

v6.6.10.15

v6.6.10.16

v6.6.10.17

6.*

6.3.0.0

6.3.0.1

6.3.0.2

6.3.1.0

6.3.1.1

6.3.2.0

6.3.2.1

6.3.3.0

6.3.3.1

6.3.4.0

6.3.4.1

6.3.5.0

6.3.5.1

6.3.5.2

6.3.5.3

6.3.5.4

6.4.0.0-RC1

6.4.0.0

6.4.1.0

6.4.1.1

6.4.1.2

6.4.2.0

6.4.2.1

6.4.3.0

6.4.3.1

6.4.4.0

6.4.4.1

6.4.5.0

6.4.5.1

6.4.6.0

6.4.6.1

6.4.7.0

6.4.8.0

6.4.8.1

6.4.8.2

6.4.9.0

6.4.10.0

6.4.10.1

6.4.11.0

6.4.11.1

6.4.12.0

6.4.13.0

6.4.14.0

6.4.15.0

6.4.15.1

6.4.15.2

6.4.16.0

6.4.16.1

6.4.17.0

6.4.17.1

6.4.17.2

6.4.18.0

6.4.18.1

6.4.19.0

6.4.20.0

6.4.20.1

6.4.20.2

6.5.0.0-rc1

6.5.0.0-rc2

6.5.0.0-rc3

6.5.0.0-rc4

6.5.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-v39m-97p8-gqg7/GHSA-v39m-97p8-gqg7.json"