CVE-2026-48013: Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation

June 4, 2026

The /api/_action/media/external-link endpoint allows authenticated admin users to make server-side HTTP HEAD requests to arbitrary internal IP addresses. While the parallel uploadFromURL flow validates target IPs against private/reserved ranges via FileUrlValidator, the linkURL flow only performs a URL format check (regex for http:// or https:// prefix), allowing SSRF to internal network services and cloud metadata endpoints.

References

github.com/advisories/GHSA-gq96-5pfx-f4vc
github.com/shopware/shopware/releases/tag/v6.7.10.1
github.com/shopware/shopware/security/advisories/GHSA-gq96-5pfx-f4vc
nvd.nist.gov/vuln/detail/CVE-2026-48013

Code Behaviors & Features

Detect and mitigate CVE-2026-48013 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →