Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-v39m-97p8-gqg7 | Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts |
Sat, 18 Jul 2026 00:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 17 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Shopware
Shopware platform Shopware shopware |
|
| Vendors & Products |
Shopware
Shopware platform Shopware shopware |
Fri, 17 Jul 2026 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser() in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEM_SCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission can set admin: true on new or existing users; IntegrationController::upsertIntegration() contains an isAdmin() check for the same field, but UserController was missing this check. This issue is fixed in versions 6.6.10.18 and 6.7.10.1. | |
| Title | Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts | |
| Weaknesses | CWE-269 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T23:15:41.762Z
Reserved: 2026-05-20T17:44:09.586Z
Link: CVE-2026-48010
Updated: 2026-07-17T21:09:28.069Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T19:45:04Z
Github GHSA