GHSA-f339-246p-wwjp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f339-246p-wwjp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-f339-246p-wwjp/GHSA-f339-246p-wwjp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f339-246p-wwjp
- Aliases
- Published
- 2026-02-10T00:22:05Z
- Modified
- 2026-02-10T00:41:26.002692Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- FroshAdminer Adminer UI is accessible without admin session
- Details
-
Summary
Unauthenticated access to Adminer UI
Details
The Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users.
Note: Database access itself requires credentials that are only set through the ACL-protected API endpoint. Direct database access without prior admin login is not possible through this vulnerability alone.
Impact
An unauthenticated user could access the Adminer interface, potentially disclosing version information or exploiting Adminer-specific vulnerabilities.
Patches
Version 2.2.1 adds session validation. The Adminer route now verifies an authenticated session flag before rendering — returning HTTP 403 otherwise.
Workarounds
Deactivate or uninstall the plugin.
- Database specific
{ "github_reviewed_at": "2026-02-10T00:22:05Z", "severity": "MODERATE", "cwe_ids": [ "CWE-306" ], "github_reviewed": true, "nvd_published_at": "2026-02-09T21:15:50Z" }- References
-
- https://github.com/FriendsOfShopware/FroshPlatformAdminer/security/advisories/GHSA-f339-246p-wwjp
- https://nvd.nist.gov/vuln/detail/CVE-2026-25878
- https://github.com/FriendsOfShopware/FroshPlatformAdminer/commit/c4dd6c3462af178b3a7d146d3c651c2c253e902b
- https://github.com/FriendsOfShopware/FroshPlatformAdminer
- https://github.com/FriendsOfShopware/FroshPlatformAdminer/releases/tag/2.2.1
Affected packages
Packagist / frosh/adminer-platform
Package
- Name
- frosh/adminer-platform
- Purl
- pkg:composer/frosh/adminer-platform
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.2.1