CVE-2026-31888

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.7.8.1 and 6.6.10.15

Description The Store API login endpoint (POST /store-api/account/login) returns different error codes based on whether a submitted email address is registered or unknown (CHECKOUT CUSTOMER AUTH BAD CREDENTIALS versus CHECKOUT CUSTOMER NOT FOUND). The 'not found' response also reveals the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller handles both error paths consistently, but the Store API does not, indicating a discrepancy in defense. The vulnerability allows customer email enumeration, potentially enabling targeted phishing campaigns and optimizing credential stuffing attacks. The CHECKOUT CUSTOMER NOT FOUND response echoes the probed email, which could be leveraged in reflected content attacks. Rate limiting is present but insufficient to prevent enumeration as only one request per email is needed. The vulnerability exists due to distinct error codes leaking account existence.

Recommendations Versions prior to 6.7.8.1: Catch both CustomerNotFoundException and BadCredentialsException in LoginRoute and throw a unified error. Versions prior to 6.6.10.15: Catch both CustomerNotFoundException and BadCredentialsException in LoginRoute and throw a unified error.