Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the Store API endpoint /store-api/handle-payment in src/Core/Checkout/Payment/SalesChannel/HandlePaymentMethodRoute.php accepts a user-controlled orderId and forwards it to src/Core/Checkout/Payment/PaymentProcessor.php without verifying order ownership or guest-order authentication, allowing a normal customer or guest context to trigger the payment flow for another user's order while /store-api/order enforces the expected ownership model. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

Project Subscriptions

Vendors Products
Shopware Subscribe
Platform Subscribe
Shopware Subscribe
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9v5m-39wh-5chq Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 17 Jul 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Shopware
Shopware platform
Shopware shopware
Vendors & Products Shopware
Shopware platform
Shopware shopware

Fri, 17 Jul 2026 18:15:00 +0000

Type Values Removed Values Added
Description Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the Store API endpoint /store-api/handle-payment in src/Core/Checkout/Payment/SalesChannel/HandlePaymentMethodRoute.php accepts a user-controlled orderId and forwards it to src/Core/Checkout/Payment/PaymentProcessor.php without verifying order ownership or guest-order authentication, allowing a normal customer or guest context to trigger the payment flow for another user's order while /store-api/order enforces the expected ownership model. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.
Title Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-17T17:54:21.990Z

Reserved: 2026-05-20T17:44:09.586Z

Link: CVE-2026-48016

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-17T19:45:04Z

Weaknesses