CVE-2026-31887: Shopware: Unauthenticated data extraction possible through store-api.order endpoint

March 11, 2026

An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint.

References

github.com/advisories/GHSA-7vvp-j573-5584
github.com/shopware/shopware
github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584
nvd.nist.gov/vuln/detail/CVE-2026-31887

Code Behaviors & Features

Detect and mitigate CVE-2026-31887 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →