CVE-2026-48014
MEDIUM
NVD
CVSS Score
6.5
Severity
MEDIUM
Published
Jul 17, 2026
Vendor
unknown
Description
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/_action/order/{orderId}/state/{transition} and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare PlatformRequest::ATTRIBUTE_ACL or perform an explicit privilege check, so AclAnnotationValidator exits when route ACL metadata is absent and low-privileged users without order:update, order_transaction:update, or order_delivery:update can trigger StateMachineRegistry::transition() writes in SYSTEM_SCOPE. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.
References
- https://github.com/shopware/shopware/commit/86dff24ba500e16325742e59d20357f57a79c2af
- https://github.com/shopware/shopware/commit/9f15faee704b61e8a96657024fa96c70b47ad082
- https://github.com/shopware/shopware/releases/tag/v6.6.10.18
- https://github.com/shopware/shopware/releases/tag/v6.7.10.1
- https://github.com/shopware/shopware/security/advisories/GHSA-f8q6-3g5w-jjr6