Critical Shopware Vulnerability Allows Attackers to Hijack App Credentials Through Registration Flow
CVE-2026-31889 scores 8.9 CVSS and affects all Shopware versions prior to 6.6.10.15 and 6.7.8.1
CVE-2026-31889, disclosed on March 11, carries a CVSS score of 8.9 and affects Shopware's legacy HMAC-based handshake used during app re-registration. The vulnerability allows an attacker with knowledge of an app's shared secret to spoof registration requests and redirect a shop's URL routing metadata, intercepting API tokens and webhooks.
The core issue is that Shopware failed to require a proof-of-possession signature during the re-registration process. Without this verification step, an attacker can modify where a shop sends its API credentials, effectively hijacking communication between the shop and any connected app.
Shopware has released patches in versions 6.6.10.15 and 6.7.8.1. The vulnerability affects Shopware Core and Platform installations, and administrators are urged to update immediately. There are no reports of active exploitation in the wild.
Analysis
Why This Matters
Shopware powers thousands of online stores, particularly in the European market. A credential takeover vulnerability in the app registration flow could allow attackers to intercept payment data, customer information, and administrative access through connected third-party apps.
Background
The vulnerability stems from the legacy HMAC handshake mechanism, which predates modern proof-of-possession requirements. The fix adds proper signature verification to the re-registration flow.
Key Perspectives
E-commerce platforms remain high-value targets because they process payment data and store customer PII. Integration points between platforms and third-party apps are particularly attractive attack surfaces.
What to Watch
Whether exploitation attempts emerge now that the vulnerability details are public, and how quickly Shopware merchants apply the patch.