Primary

Context

Shopware 6 Account Enumeration Vulnerability via Store API

Vulnerability

Patched

A vulnerability in Shopware 6 allows attackers to verify if an email address is associated with an account by using the store-api endpoint '/store-api/account/recovery-password'. This issue affects Shopware versions 6.6.0.0 through 6.6.10.2, 6.7.0.0-rc1, and 6.5.8.17. The vulnerability is rooted in the way the store API handles account recovery requests, providing distinct responses based on account existence.

Impact

Exploitation of this vulnerability allows for account enumeration by revealing whether a specific email address is associated with an account.

Remediation

Users can update to Shopware version 6.6.10.3, 6.7.0.0-rc2, or 6.5.8.18. For those using older versions of 6.4, corresponding security measures are available via a plugin.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

8.9

remediation

7.7

relevance

0.0

threat

6.4

urgency

1.4

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

8.9

remediation

7.7

relevance

0.0

threat

6.4

urgency

1.4

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Shopware 6 Account Enumeration Vulnerability via Store API

Vulnerability

Impact

Remediation

Affected Products

Shopware

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating