CVE-2026-48011: Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames

June 4, 2026 (updated June 11, 2026)

There is a Proof of Concept which is able to enumerate the usernames of administrator users. This was possible by performing a timing attack.

References

github.com/advisories/GHSA-7w52-7jvm-m9vw
github.com/shopware/shopware/releases/tag/v6.6.10.18
github.com/shopware/shopware/releases/tag/v6.7.10.1
github.com/shopware/shopware/security/advisories/GHSA-7w52-7jvm-m9vw
nvd.nist.gov/vuln/detail/CVE-2026-48011

Code Behaviors & Features

Detect and mitigate CVE-2026-48011 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →