Primary

Context

Shopware Cloud Storage Visibility Vulnerability Allowing Access to Private Files

Vulnerability

Patched

A vulnerability in Shopware versions prior to 6.4.1.1 allows private files to be publicly accessible when stored with certain Cloud Storage providers, provided the hashed URL is known. This issue arises from incorrect visibility settings in the application's configuration. When using Amazon AWS for storage, public access to the bucket containing private files can exacerbate the problem.

Impact

Exploitation of this vulnerability could lead to unauthorized access to private files stored in the cloud.

Remediation

Users are advised to update to Shopware 6.4.1.1 or later. If using the Security plugin, it should be updated to the latest version and the command './bin/console s3:set-visibility' should be run to correct cloud file visibilities. For those using Amazon AWS, public access to the bucket containing private files should be disabled.

Added: Mar 11, 2026, 6:55 PM

Updated: Mar 11, 2026, 6:55 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.2

exploitability

7.3

remediation

8.3

relevance

0.0

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.2

exploitability

7.3

remediation

8.3

relevance

0.0

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Shopware Cloud Storage Visibility Vulnerability Allowing Access to Private Files

Vulnerability

Impact

Remediation

Affected Products

Shopware

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating