CVE-2026-31887

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.6.10.15 Shopware versions prior to 6.7.8.1

Description An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This issue is related to the deepLinkCode support on the store-api.order endpoint. Depending on the order payload configuration, attackers may retrieve customer names, billing address, shipping address, email addresses, ordered products, order values, order numbers, order dates, payment method information, and shipping method information. This allows unauthorized access to foreign customer order data and potential scraping of customer personal information. The code has been present since approximately 2021, potentially impacting all versions since then.

Recommendations Versions prior to 6.6.10.15 should be updated to version 6.6.10.15 or later. Versions prior to 6.7.8.1 should be updated to version 6.7.8.1 or later.