CVE-2026-48008: Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass

June 4, 2026

A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API (POST /api/_action/sync). The regular integration endpoint (POST /api/integration) correctly blocks this, but the Sync API bypasses the controller-level check by writing directly through the DAL EntityWriter. The integration entity definition lacks WriteProtection, and the admin field has no field-level restriction flag.

OWASP: A01:2021 — Broken Access Control

References

github.com/advisories/GHSA-gv8p-48fr-4fxg
github.com/shopware/shopware/releases/tag/v6.6.10.18
github.com/shopware/shopware/releases/tag/v6.7.10.1
github.com/shopware/shopware/security/advisories/GHSA-gv8p-48fr-4fxg
nvd.nist.gov/vuln/detail/CVE-2026-48008

Code Behaviors & Features

Detect and mitigate CVE-2026-48008 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →