CVE-2026-48008
Published:June 05, 2026
Updated:June 06, 2026
Summary A non-admin API user with "integration:create" ACL privilege can escalate to full administrator by creating an integration with "admin: true" through the Sync API ("POST /api/_action/sync"). The regular integration endpoint ("POST /api/integration") correctly blocks this, but the Sync API bypasses the controller-level check by writing directly through the DAL EntityWriter. The "integration" entity definition lacks "WriteProtection", and the "admin" field has no field-level restriction flag. OWASP: A01:2021 — Broken Access Control Root Cause "IntegrationController::upsertIntegration()" checks "$source->isAdmin()" before allowing the "admin" field to be set. However, "SyncController::sync()" routes writes through "SyncService → EntityWriter", which only applies: 1. "AclWriteValidator" — checks entity-level ACL ("integration:create" is sufficient) 2. "EntityProtectionValidator" — checks "WriteProtection" on entity definitions, but "IntegrationDefinition" has none The "admin" field in "IntegrationDefinition" is a plain "BoolField" with no "WriteProtection" or special flag. The Sync API writes it without restriction. Vulnerable code path: - "src/Core/Framework/Api/Controller/SyncController.php" → "SyncService" → "EntityWriter::upsert()" - Missing protection: "src/Core/Framework/Integration/IntegrationDefinition.php" — "admin" field has no "WriteProtection(Context::SYSTEM_SCOPE)" Working protection (bypassed): - "src/Core/Framework/Integration/IntegrationController.php:46-56" — "isAdmin()" check only applies to the dedicated controller endpoint Impact - Complete admin API access — the escalated integration has full read/write on every entity: users, customers, orders, system configuration, integrations, plugins - PII exfiltration — read all customer records (names, emails, addresses, order history) - Persistent backdoor — the admin integration survives password changes and user deactivation Remediation Add "WriteProtection(Context::SYSTEM_SCOPE)" to "IntegrationDefinition", matching how "UserDefinition" and "AclRoleDefinition" are already protected: // src/Core/Framework/Integration/IntegrationDefinition.php (new BoolField('admin', 'admin')) ->addFlags(new WriteProtection(Context::SYSTEM_SCOPE)),
Affected Packages
https://github.com/shopware/shopware.git (GITHUB):
Affected version(s) >=v6.6.0.0 <v6.6.10.18Fix Suggestion:
Update to version v6.6.10.18https://github.com/shopware/shopware.git (GITHUB):
Affected version(s) >=v6.7.0.0 <v6.7.10.1Fix Suggestion:
Update to version v6.7.10.1shopware/core (PHP):
Affected version(s) >=dev-tmp-a8bb4ae4f7f0e90697dc8bf7e92865771b615335 <v6.6.10.18Fix Suggestion:
Update to version v6.6.10.18shopware/platform (PHP):
Affected version(s) >=dev-acceptance-test-submit-a-review-backport-6.6.x <v6.6.10.18Fix Suggestion:
Update to version v6.6.10.18shopware/core (PHP):
Affected version(s) >=v6.7.0.0 <v6.7.10.1Fix Suggestion:
Update to version v6.7.10.1shopware/platform (PHP):
Affected version(s) >=v6.7.0.0 <v6.7.10.1Fix Suggestion:
Update to version v6.7.10.1Related Resources (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.5
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Missing Authorization