PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48009 shopware CVE debrief

CVE-2026-48009 is a vulnerability in Shopware, an open commerce platform. A low-privilege admin user with user_recovery:read ACL can take over any admin account by exploiting the user recovery API. This issue is fixed in versions 6.6.10.18 and 6.7.10.1. The vulnerability allows an attacker to trigger a password recovery, read the recovery hash, and use it to take over an admin account. The root cause is the exposure of the hash field through the Admin API without proper protection.

Vendor
shopware
Product
Unknown
CVSS
MEDIUM 6.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Administrators and users of Shopware versions prior to 6.6.10.18 and 6.7.10.1 should be aware of this vulnerability and take immediate action to update their installations. This includes reviewing access controls, monitoring for suspicious activity, and ensuring proper configuration of the user recovery API.

Technical summary

The vulnerability in Shopware, an open commerce platform, is caused by the exposure of the hash field through the Admin API in src/Core/System/User/Recovery/UserRecoveryDefinition.php without proper protection. This allows a low-privilege admin user with user_recovery:read ACL to trigger a password recovery, read the recovery hash, and use it to take over any admin account. The issue is fixed in versions 6.6.10.18 and 6.7.10.1. Administrators and users of affected versions should update their installations immediately and review access controls, monitor for suspicious activity, and ensure proper configuration of the user recovery API. Evidence is limited to public sources and may not be comprehensive, so defenders should verify affected scope and vendor guidance through official channels.

Defensive priority

High

Recommended defensive actions

  • Update Shopware to version 6.6.10.18 or 6.7.10.1
  • Restrict access to the user recovery API
  • Monitor for suspicious activity on the user recovery API
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-17T18:17:15.863Z and last modified on 2026-07-17T20:17:19.973Z. The NVD entry is currently Deferred. Evidence is limited to public sources and may not be comprehensive. Defenders should verify affected scope and vendor guidance through official channels.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T18:17:15.863Z and has not been modified since then. The NVD entry is currently Deferred.