CVE-2026-31889

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.6.10.15 and 6.7.8.1

Description Shopware is an open commerce platform. A flaw exists in the application registration process that, under certain conditions, could allow attackers to take control of the communication channel between a shop and an application. The legacy registration process used HMAC-based authentication without adequately linking a shop installation to its original domain. During re-registration, the shop-url could be updated without verifying control over the previously registered shop or domain. This allowed for targeted hijacking of app communication if an attacker possessed the relevant app-side secret. By exploiting app re-registration, an attacker could redirect application traffic to a domain controlled by the attacker and potentially obtain API credentials intended for the legitimate shop. An attacker who already knows certain app-side secrets could re-register an existing app installation with a domain under their control, intercept App to Shop communication, cause data tampering, and obtain API integration credentials of the shop. The vulnerability does not affect core storefront or administration authentication; it is limited to the app system’s registration and re-registration mechanism.

Recommendations Shopware versions prior to 6.6.10.15: Upgrade to version 6.6.10.15 or later. Shopware versions prior to 6.7.8.1: Upgrade to version 6.7.8.1 or later. Ensure all installed apps are updated to the latest versions provided by their manufacturers. If you suspect compromised keys or observe unexpected app behavior, re-install the affected app or trigger key rotation as documented by the app vendor. For app manufacturers, update to the latest Shopware app SDKs or apply the documented changes if you maintain a custom implementation of the registration flow. Validate both shopware-app-signature and shopware-shop-signature for re-registration requests. Always generate and store a new shop secret on re-registration and only switch to it after a successful confirmation. Verify that your app does not blindly accept changed shop-url values without validating signatures.