CVE-2026-48011
Published:June 05, 2026
Updated:June 06, 2026
Summary There is a Proof of Concept which is able to enumerate the usernames of administrator users. This was possible by performing a timing attack. Details The faulty code exists in ""src/Core/Framework/Api/OAuth/UserRepository.php"" (https://github.com/shopware/shopware/blob/trunk/src/Core/Framework/Api/OAuth/UserRepository.php): public function getUserEntityByUserCredentials( string $username, #[\SensitiveParameter] string $password, string $grantType, ClientEntityInterface $clientEntity ): ?UserEntityInterface { if ($this->loginConfigService->getConfig()?->useDefault === false) { // never allow login via password if the default login is disabled (e.g. using SSO only) return null; } $builder = $this->connection->createQueryBuilder(); $user = $builder->select('user.id', 'user.password') ->from('user') ->where('username = :username') ->setParameter('username', $username) ->fetchAssociative(); // PATH 1: EARLY RETURN WHEN USERNAME IS NOT FOUND if (!$user) { return null; } // PATH 2: VERIFY PASSWORD IF USER IS FOUND if (!password_verify($password, (string) $user['password'])) { return null; } return new User(Uuid::fromBytesToHex($user['id'])); } Subroutine "getUserEntityByUserCredentials()" is called when an auth request is send to "api/oauth/token". If the given username is not found an early return is done (PATH 1). Only if the user is found we verify the password using "password_verify". PHP method "password_verify" by default uses hashing algorithm Argon2id which by design is intentionally 'slow' by introducing a timing cost to an attempt to bruteforce hashes more costly. Since "password_verify" has a notable executable time, PATH 2 where an user is found and verified will be slower on average then PATH 1 where we do an early return for non-existing users. Proposed fix Before doing the early return, "password_verify" a dummy hash. Impact 1. More targeted dictionary/bruteforce attacks. 2. Spear phishing / eases social engineering. 3. Credential stuffing from other data leaks. Authors Niel Duysters (@NielDuysters) and Thomas Brankaer (@tbrankaer)
Affected Packages
https://github.com/shopware/shopware.git (GITHUB):
Affected version(s) >=v6.7.0.0 <v6.7.10.1Fix Suggestion:
Update to version v6.7.10.1https://github.com/shopware/shopware.git (GITHUB):
Affected version(s) >=v6.6.0.0 <v6.6.10.18Fix Suggestion:
Update to version v6.6.10.18shopware/platform (PHP):
Affected version(s) >=v6.7.0.0 <v6.7.10.1Fix Suggestion:
Update to version v6.7.10.1shopware/core (PHP):
Affected version(s) >=v6.7.0.0 <v6.7.10.1Fix Suggestion:
Update to version v6.7.10.1shopware/platform (PHP):
Affected version(s) >=dev-acceptance-test-submit-a-review-backport-6.6.x <v6.6.10.18Fix Suggestion:
Update to version v6.6.10.18shopware/core (PHP):
Affected version(s) >=dev-tmp-a8bb4ae4f7f0e90697dc8bf7e92865771b615335 <v6.6.10.18Fix Suggestion:
Update to version v6.6.10.18Related Resources (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Observable Timing Discrepancy