PT-2026-46887 · Packagist · Shopware/Core+1

Published

2026-06-04

·

Updated

2026-06-04

·

CVE-2026-48011

CVSS v3.1

3.7

Low

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

There is a Proof of Concept which is able to enumerate the usernames of administrator users. This was possible by performing a timing attack.

Details

The faulty code exists in src/Core/Framework/Api/OAuth/UserRepository.php:
public function getUserEntityByUserCredentials(
    string $username,
    #[SensitiveParameter]
    string $password,
    string $grantType,
    ClientEntityInterface $clientEntity
  ): ?UserEntityInterface {
    if ($this->loginConfigService->getConfig()?->useDefault === false) {
      // never allow login via password if the default login is disabled (e.g. using SSO only)
      return null;
    }

    $builder = $this->connection->createQueryBuilder();
    $user = $builder->select('user.id', 'user.password')
      ->from('user')
      ->where('username = :username')
      ->setParameter('username', $username)
      ->fetchAssociative();

    // PATH 1: EARLY RETURN WHEN USERNAME IS NOT FOUND
    if (!$user) {
      return null;
    }

    // PATH 2: VERIFY PASSWORD IF USER IS FOUND
    if (!password verify($password, (string) $user['password'])) {
      return null;
    }

    return new User(Uuid::fromBytesToHex($user['id']));
  }
Subroutine getUserEntityByUserCredentials() is called when an auth request is send to api/oauth/token. If the given username is not found an early return is done (PATH 1). Only if the user is found we verify the password using password verify.
PHP method password verify by default uses hashing algorithm Argon2id which by design is intentionally 'slow' by introducing a timing cost to an attempt to bruteforce hashes more costly.
Since password verify has a notable executable time, PATH 2 where an user is found and verified will be slower on average then PATH 1 where we do an early return for non-existing users.

Proposed fix

Before doing the early return, password verify a dummy hash.

Impact

  1. More targeted dictionary/bruteforce attacks.
  2. Spear phishing / eases social engineering.
  3. Credential stuffing from other data leaks.

Authors

Niel Duysters (@NielDuysters) and Thomas Brankaer (@tbrankaer)

Fix

Weakness Enumeration

CWE-208

Related Identifiers

CVE-2026-48011
GHSA-7W52-7JVM-M9VW

Affected Products

Shopware/Core
Shopware/Platform