CVE-2026-48009: Shopware: Admin Account Takeover via User Recovery Hash Exposure

June 4, 2026

A low-privilege admin user with user_recovery:read ACL can take over any admin account. The attacker triggers password recovery for the victim (unauthenticated endpoint), reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the victim’s password (another unauthenticated endpoint). The recovery hash — intended to be secret and delivered only via email — is fully readable through the standard entity search API.

OWASP: A01:2021 — Broken Access Control

References

github.com/advisories/GHSA-8v9p-g828-v98f
github.com/shopware/shopware/releases/tag/v6.6.10.18
github.com/shopware/shopware/releases/tag/v6.7.10.1
github.com/shopware/shopware/security/advisories/GHSA-8v9p-g828-v98f
nvd.nist.gov/vuln/detail/CVE-2026-48009

Code Behaviors & Features

Detect and mitigate CVE-2026-48009 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →