CVE-2026-31887: Incorrect Authorization in Shopware Store API Order Route

CVE-2026-31887 describes an incorrect authorization vulnerability in the Shopware commerce platform. The flaw affects the shopware/core and shopware/platform packages, specifically targeting the store-api.order endpoint. This endpoint allows unauthenticated guest access via a deepLinkCode to view specific order details.

The vulnerability falls under CWE-863 (Incorrect Authorization). The Store API utilizes a Data Abstraction Layer (DAL) Criteria system that processes search filters and database associations defined in client request payloads. The API fails to properly restrict the filters provided by clients when authenticating via a guest deepLinkCode.

This lack of strict server-side validation allows an attacker to bypass intended access controls. Attackers can extract order data belonging to other customers, exposing sensitive Personal Identifiable Information (PII). The exploit requires the attacker to possess at least one valid deepLinkCode to access the vulnerable logic path.

The root cause of the vulnerability lies in the implementation of the OrderRoute within the Shopware Store API. The application logic fails to strictly enforce the deepLinkCode as an exclusive, non-bypassable filter for unauthenticated requests. The DAL Criteria system processes complex JSON payloads containing user-defined filters, sortings, and database associations.

Attackers exploit this by injecting arbitrary filter types into the Criteria object. The vulnerable implementation processes filters such as EqualsFilter, RangeFilter, or PrefixFilter without proper authorization checks. The server-side logic improperly merges these user-supplied filters with the required deepLinkCode filter.

Specifically, the flawed query construction permits an OR condition between the mandatory deepLinkCode and the attacker-supplied filters. Alternatively, the system fails to strip unauthorized filters entirely before execution. This allows the backend database to return records matching the injected filters, overriding the strict isolation intended by the guest access token.

Exploitation requires an attacker to possess a single valid, non-guessable deepLinkCode. This code provides initial access to the vulnerable /store-api/order endpoint. The attacker does not require an authenticated session or elevated privileges within the Shopware instance to execute the attack.

The attacker crafts a POST request to the /store-api/order endpoint. The request body contains a JSON payload defining a criteria object with malicious filters. By supplying the valid deepLinkCode alongside secondary filters, the attacker forces the backend to evaluate unauthorized parameters.

{
  "filter": [
    { "type": "equals", "field": "deepLinkCode", "value": "VALID_CODE_HERE" },
    { "type": "equals", "field": "orderNumber", "value": "10001" }
  ],
  "associations": {
    "orderCustomer": {},
    "addresses": {},
    "deliveries": {}
  }
}

If the backend fails to enforce a strict filter whitelist, the DAL processes the injected orderNumber filter. The system returns the order data for order number 10001 regardless of its association with the provided deepLinkCode. Through the deep associations requested in the payload, the attacker extracts comprehensive customer PII including names, addresses, and delivery data.

The primary impact of CVE-2026-31887 is a severe breach of confidentiality. Attackers achieve mass extraction of customer PII and complete order histories. Extracted data includes customer names, email addresses, physical shipping addresses, and payment details.

The vulnerability operates with a high CVSS 4.0 base score of 8.9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N). The attack vector is strictly network-based and requires no user interaction. The integrity of the system remains unaffected, as the vulnerability facilitates data extraction rather than unauthorized modification.

The availability impact is categorized as low. However, attackers can construct complex recursive Criteria objects within the payload. Processing these deeply nested associations forces excessive database queries, creating a viable path for resource exhaustion and subsequent Denial of Service (DoS) conditions against the database tier.

Shopware addressed this vulnerability in core versions 6.6.10.15 and 6.7.8.1. The remediation implements strict filter whitelisting within the OrderRoute and associated DAL builders. The system now mandates that any request lacking explicit authentication undergoes rigid filter sanitization.

The patch enforces the deepLinkCode as a mandatory, top-level AND constraint. The application actively strips or rejects any filter not explicitly permitted for guest access before passing the Criteria object to the database layer. This ensures injected filters cannot bypass the token isolation.

In conjunction with the routing fix, the developers applied architectural hardening measures via commit 92e57c2eeb525810dc7c6028804a3e23f2fea3ef. These changes harden the AppSecretRotationController to prevent metadata leakage in JSON responses. The patch also relocates sensitive endpoints to more restricted namespaces to minimize the unauthenticated attack surface.