Primary

Context

Shopware HTTP Cache Vulnerability Leading to Shared Guest Sessions

Vulnerability

Patched

A vulnerability in Shopware versions through 6.4.8.0 allows guest sessions to be shared between customers when the HTTP cache is enabled. This issue can create inconsistent experiences for guest users. However, setups using Varnish are not affected.

Impact

The vulnerability can lead to shared guest sessions, causing inconsistent experiences for users.

Remediation

Users can upgrade to Shopware version 6.4.8.2, available through the Auto-Updater or the download overview on the Shopware website. For older versions 6.1, 6.2, and 6.3, a security plugin is available. Disabling the HTTP cache is also a valid workaround.

Added: May 15, 2026, 8:48 AM

Updated: May 15, 2026, 8:48 AM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

1.3

exploitability

6.2

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

1.3

exploitability

6.2

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Shopware HTTP Cache Vulnerability Leading to Shared Guest Sessions

Vulnerability

Impact

Remediation

Affected Products

Shopware

Shopware Storefront

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating