Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-gv8p-48fr-4fxg | Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass |
Fri, 17 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Shopware
Shopware platform Shopware shopware |
|
| Vendors & Products |
Shopware
Shopware platform Shopware shopware |
|
| Metrics |
ssvc
|
Fri, 17 Jul 2026 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/_action/sync; the regular integration endpoint POST /api/integration blocks this, but SyncController::sync() routes writes through SyncService to EntityWriter::upsert(), and src/Core/Framework/Integration/IntegrationDefinition.php lacks WriteProtection on the admin field. This issue is fixed in versions 6.6.10.18 and 6.7.10.1. | |
| Title | Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass | |
| Weaknesses | CWE-862 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T19:47:56.823Z
Reserved: 2026-05-20T17:44:09.586Z
Link: CVE-2026-48008
Updated: 2026-07-17T19:47:52.301Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T20:15:16Z
Github GHSA