Search for vulnerabilities
| Vulnerability ID | VCID-qczj-f83h-5bbp |
| Aliases |
CVE-2026-31889
GHSA-c4p7-rwrg-pf6p |
| Summary | Shopware vulnerable to a potential take over of app credentials We identified and fixed a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. We have no evidence that this vulnerability has been exploited. --- |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| epss | 0.00094 | https://api.first.org/data/v1/epss?cve=CVE-2026-31889 |
| cvssv3.1_qr | HIGH | https://github.com/advisories/GHSA-c4p7-rwrg-pf6p |
| cvssv3.1_qr | HIGH | https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p |
| Reference id | Reference type | URL |
|---|---|---|
| https://api.first.org/data/v1/epss?cve=CVE-2026-31889 | ||
| https://github.com/shopware/shopware | ||
| CVE-2026-31889 | https://nvd.nist.gov/vuln/detail/CVE-2026-31889 | |
| GHSA-c4p7-rwrg-pf6p | https://github.com/advisories/GHSA-c4p7-rwrg-pf6p | |
| GHSA-c4p7-rwrg-pf6p | https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p |
| Percentile | 0.26161 |
| EPSS Score | 0.00094 |
| Published At | May 30, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-05-30T21:07:49.217254+00:00 | GitLab Importer | Import | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/core/CVE-2026-31889.yml | 38.6.0 |