Description

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.

INFO

Published Date :

2026-03-11T18:53:03.018Z

Last Modified :

2026-03-12T20:02:47.581Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-31888 vulnerability.

Vendors Products
Shopware
  • Platform
  • Shopware
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31888.

URL Resource
https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact