PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48010 shopware CVE debrief

CVE-2026-48010 is a vulnerability in Shopware's open commerce platform that allows non-admin API users to set admin privileges on new or existing users due to a lack of filtering in the UserController::upsertUser() function. This issue has a CVSS score of 6.5 and a severity of MEDIUM. Affected deployments exist in managed environments, requiring owners to review and mitigate the vulnerability. The issue is fixed in versions 6.6.10.18 and 6.7.10.1. Defenders should prioritize reviewing API user permissions, monitoring account changes, and applying patches.

Vendor
shopware
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-18
Advisory published
2026-07-17
Advisory updated
2026-07-18

Who should care

Users of Shopware open commerce platform, especially those with API user accounts, system administrators, and security teams responsible for managing user permissions and access controls, should be aware of this vulnerability and take steps to protect themselves. This includes reviewing current API user permissions, monitoring user account changes, and applying patches as soon as possible. Additionally, operators of managed environments should verify that their configurations are secure and that there are no unintended admin-level users created through API interactions.

Technical summary

The vulnerability exists in the UserController::upsertUser() function in src/Core/Framework/Api/Controller/UserController.php. The function writes raw user data in SYSTEM_SCOPE without filtering the admin field, allowing a non-admin API user with user:create or user:update ACL permission to set admin: true on new or existing users. This issue can be particularly problematic in managed environments where user accounts and permissions are tightly controlled. Affected product deployments require careful review to ensure that API user permissions are properly limited and monitored.

Defensive priority

Medium-High

Recommended defensive actions

  • Review and limit API user permissions
  • Monitor user account changes
  • Apply patches (versions 6.6.10.18 and 6.7.10.1)
  • Verify affected scope and vendor guidance
  • Check relevant monitoring, detection, and logs for exposed assets
  • Track exceptions and retest remediated assets
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-17T18:17:16.023Z and was last modified on 2026-07-17T18:30:01.357Z. The evidence is limited to the information provided in the CVE record and NVD detail. Defenders should verify the affected scope, severity, and vendor guidance. The CVE record and NVD detail provide the official description of the vulnerability. There may be additional information available from other sources, but it is not included here due to evidence limits. It's crucial to review the official advisory and consider the potential impact on managed environments.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T18:17:16.023Z and has not been modified since then.