CVE-2026-31889
Published: 11 March 2026
Summary
CVE-2026-31889 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Shopware Shopware. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely identification, reporting, testing, and application of patches to fix the flawed app re-registration flow in Shopware.
Enforces approved authorizations and domain control verification for logical access to the re-registration mechanism, preventing unauthorized shop-url updates.
Requires management of HMAC authenticators with verification of control over the shop domain or installation during re-registration, addressing insufficient binding.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable flaw in the internet-facing Shopware app registration flow (AV:N) that directly enables initial access via hijacking of app-to-shop communication and credential theft; this matches the definition of exploiting a public-facing application vulnerability.
NVD Description
Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy…
more
app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.
Deeper analysisAI
CVE-2026-31889 affects Shopware, an open commerce platform, in versions prior to 6.6.10.15 and 6.7.8.1. The vulnerability lies in the legacy app registration flow, which uses HMAC-based authentication without sufficiently binding a shop installation to its original domain. This flaw enables the shop-url to be updated during re-registration without proving control over the previously registered shop or domain, facilitating targeted hijacking of app communication if an attacker holds the relevant app-side secret.
Attackers with knowledge of the app-side secret can exploit this vulnerability under specific conditions to take over the communication channel between a shop and an app. By abusing the re-registration process, they can redirect app traffic to an attacker-controlled domain and potentially obtain API credentials intended for the legitimate shop. The issue carries a CVSS score of 8.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L) and is associated with CWE-290.
Shopware has fixed this vulnerability in versions 6.6.10.15 and 6.7.8.1. Additional details on the issue and mitigation steps are available in the official security advisory at https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p.
Details
- CWE(s)