Primary

Context

Shopware Unauthenticated Order Data Access Vulnerability

Vulnerability

Patched

A vulnerability in Shopware prior to versions 6.7.8.1 and 6.6.10.15 allows unauthenticated customers to access orders of other customers. This issue arises from an inadequate validation of filter types on the store-api.order endpoint, particularly related to deepLinkCode support. As a result, unauthorized users can retrieve sensitive order information, including customer names, addresses, email addresses, ordered products, order values, numbers, dates, payment and shipping method details, and potentially more custom data depending on the request associations.

Impact

Exploitation of this vulnerability leads to unauthorized access to other customers' order data, mass enumeration of recent orders, and potential scraping of personal information.

Remediation

Users can upgrade to Shopware versions 6.7.8.1 or 6.6.10.15 to address this vulnerability.

Added: Mar 11, 2026, 7:27 PM

Updated: Mar 11, 2026, 7:27 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

6.8

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

6.8

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Shopware Unauthenticated Order Data Access Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Shopware

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating