Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-48010
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-17 Jul, 2026 | 17:55
Updated At-17 Jul, 2026 | 17:55
Rejected At-
▼CVE Numbering Authority (CNA)
Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser() in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEM_SCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission can set admin: true on new or existing users; IntegrationController::upsertIntegration() contains an isAdmin() check for the same field, but UserController was missing this check. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

Affected Products
Vendor
shopware
Product
shopware
Versions
Affected
  • < 6.6.10.18
  • >= 6.7.0.0, < 6.7.10.1
Vendor
shopware
Product
platform
Versions
Affected
  • < 6.6.10.18
  • >= 6.7.0.0, < 6.7.10.1
Problem Types
TypeCWE IDDescription
CWECWE-269CWE-269: Improper Privilege Management
Type: CWE
CWE ID: CWE-269
Description: CWE-269: Improper Privilege Management
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/shopware/shopware/security/advisories/GHSA-v39m-97p8-gqg7
x_refsource_CONFIRM
https://github.com/shopware/shopware/commit/7f1cef324ca4edfa6369264cc1c41287d032624d
x_refsource_MISC
https://github.com/shopware/shopware/commit/d8d9a34a9255abf69c2798015a17cd6a80b08c25
x_refsource_MISC
https://github.com/shopware/shopware/releases/tag/v6.6.10.18
x_refsource_MISC
https://github.com/shopware/shopware/releases/tag/v6.7.10.1
x_refsource_MISC
Hyperlink: https://github.com/shopware/shopware/security/advisories/GHSA-v39m-97p8-gqg7
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/shopware/shopware/commit/7f1cef324ca4edfa6369264cc1c41287d032624d
Resource:
x_refsource_MISC
Hyperlink: https://github.com/shopware/shopware/commit/d8d9a34a9255abf69c2798015a17cd6a80b08c25
Resource:
x_refsource_MISC
Hyperlink: https://github.com/shopware/shopware/releases/tag/v6.6.10.18
Resource:
x_refsource_MISC
Hyperlink: https://github.com/shopware/shopware/releases/tag/v6.7.10.1
Resource:
x_refsource_MISC
Details not found