CVE-2026-48010: Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts
UserController::upsertUser() writes user data in SYSTEM_SCOPE and does not filter the admin field. A non-admin API user with user:create or user:update ACL permission can set admin: true on new or existing users, escalating to full admin access.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-48010 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →