CVE-2026-31889: Shopware vulnerable to a potential take over of app credentials

March 11, 2026

We identified and fixed a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. We have no evidence that this vulnerability has been exploited.

References

github.com/advisories/GHSA-c4p7-rwrg-pf6p
github.com/shopware/shopware
github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p
nvd.nist.gov/vuln/detail/CVE-2026-31889

Code Behaviors & Features

Detect and mitigate CVE-2026-31889 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →