AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-gqc5-xv7m-gcjq: Shopware has user enumeration via distinct error codes on Store API login endpoint

mediumvulnerability

security

Source: GitHub Advisory DatabaseMarch 11, 2026CVE-2026-31888

Summary

Shopware's Store API login endpoint leaks whether an email address is registered by returning different error codes: one code if the email doesn't exist and another if the password is wrong. An attacker can use this to enumerate valid customer accounts without needing to guess passwords, because they only need one request per email address. The storefront login page correctly hides this distinction by returning a generic error for both cases, but the Store API does not.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

March 11, 2026

Classification

Attack SophisticationTrivial

Affected Packages

shopware/core@< 6.6.10.15 (fixed: 6.6.10.15)shopware/core@>= 6.7.0.0, < 6.7.8.1 (fixed: 6.7.8.1)shopware/platform@< 6.6.10.14 (fixed: 6.6.10.14)shopware/platform@>= 6.7.0.0, < 6.7.8.1 (fixed: 6.7.8.1)

Original source: https://github.com/advisories/GHSA-gqc5-xv7m-gcjq

First tracked: March 11, 2026 at 04:00 PM

Classified by LLM (prompt v3) · confidence: 95%