Shopware 6: Mapping Your Way to RCE via Twig Type Juggling
Jan 14, 2026·5 min read·8 visits
Executive Summary (TL;DR)
Shopware tried to sandbox Twig by checking if function names were allowlisted strings. They forgot that PHP functions can also be called as arrays (e.g., `['Class', 'Method']`). This vulnerability exploits that oversight to bypass the sandbox completely, turning a simple template rendering engine into a remote shell.
A critical logic flaw in Shopware 6's Twig SecurityExtension allows attackers to bypass the function allowlist. By leveraging PHP's loose typing and passing array-based callables to the 'map' filter, attackers can evade security checks and execute arbitrary PHP methods, leading to Remote Code Execution (RCE).
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Shopware 6 Shopware | < 6.6.x (Patched Jan 2026) | Post-Jan-5-2026 Release |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (Twig Template Injection) |
| CVSS v3.1 | 9.8 (Critical) |
| CWE ID | CWE-843 |
| CWE Name | Access of Resource Using Incompatible Type ('Type Confusion') |
| Impact | Remote Code Execution (RCE) |
| Exploit Status | Proof of Concept (PoC) |
MITRE ATT&CK Mapping
The program allocates or initializes a resource using one type, but it later accesses that resource using a type that is incompatible with the original type.