Summary
Description
This report describes an open redirect in Shopware's public SSO entry point at GET /api/oauth/sso/auth. When the endpoint is reached without the expected SSO session state, the application falls back to the request's Referer header and uses that value as the redirect destination. In the validated behavior, the server does not restrict that fallback target to same-origin URLs, does not require a relative path, and does not reject dangerous schemes such as javascript:. As a result, an unauthenticated request can turn this endpoint into a reusable redirect primitive whose destination is fully controlled by attacker-supplied request metadata.
The security problem is not limited to a harmless navigation mismatch. The endpoint sits under /api/oauth/, which gives the redirect a trustworthy application-controlled origin and makes it suitable for phishing chains, branded redirect abuse, and cases where client software automatically follows redirects issued by a trusted host. The attached evidence also shows that the response is not only an HTTP 302 with a user-controlled Location header. The HTML body contains a matching meta refresh tag and redirect link built from the same attacker-controlled value. In the validated proof, the endpoint redirects to https://attacker.example/poc when that URL is supplied through Referer, and it also reflects javascript:alert(1) into Location and the HTML redirect body without any scheme filtering. This report therefore stays conservative and claims an open redirect with arbitrary redirect targets, while noting that the lack of scheme restrictions makes the behavior materially worse than a same-scheme external redirect.
Steps To Reproduce
- Start a local Shopware instance that exposes the vulnerable endpoint at
http://127.0.0.1:8000/api/oauth/sso/auth. No login is required for the proof. The attached Python PoC already targets that base URL and is configured to send direct requests without following redirects automatically. - Run the attached PoC with
python3 poc_sso_referer_open_redirect.py. The script sends three requests toGET /api/oauth/sso/authand records the raw responses as evidence files. The first request omits theRefererheader entirely. The second request suppliesReferer: https://attacker.example/poc. The third request suppliesReferer: javascript:alert(1). - Inspect the first recorded response in
evidence/sso_redirect_no_referer.raw.txt. In the validated run, the endpoint returns401with the messageReferrer not found. Cannot redirect.This shows that the code path being exercised is the unauthenticated fallback behavior that depends onRefererwhen the expected SSO state is missing. - Inspect
evidence/sso_redirect_https_redirect.raw.txt. In the validated run, the endpoint returns302and setsLocation: https://attacker.example/poc. The HTML body also contains a meta refresh tag and redirect link pointing to the same external URL. This demonstrates that the server accepts an attacker-controlled external target and emits it as a redirect destination. - Inspect
evidence/sso_redirect_javascript_redirect.raw.txt. In the validated run, the endpoint again returns302, but this time the response setsLocation: javascript:alert(1). The HTML body mirrors the samejavascript:target in both the meta refresh tag and the anchor. This demonstrates that the fallback redirect does not even enforce anhttporhttpsscheme restriction before constructing the response. - Compare the PoC summary in
evidence/poc_sso_referer_open_redirect.output.txtwith the raw responses. The validated run shows401when noRefereris present,302tohttps://attacker.example/pocwhen an external HTTPS URL is supplied, and302tojavascript:alert(1)when a dangerous scheme is supplied. That behavior confirms the endpoint can be used as an open redirect with an arbitrary redirect target controlled throughReferer.
Recommendations
The endpoint should stop using Referer as a fallback redirect target when the expected SSO state is missing. If the application cannot complete the SSO flow because the required session state does not exist, it should return a fixed error response or redirect only to a fixed internal page that is not influenced by request headers. Referer is not a trustworthy source of navigation intent and should not be treated as an authorization or routing signal for security-sensitive redirect logic.
If the product needs to preserve a return destination, that destination should be derived from a server-generated state value or validated against a strict allowlist. At minimum, the code should reject non-HTTP schemes, reject scheme-relative targets such as //host, and reject absolute URLs that are not same-origin with the current Shopware instance. A regression test should cover the exact cases proven here: no Referer, an external HTTPS Referer, and a javascript: Referer, with assertions that none of the attacker-controlled values can be emitted into Location or the HTML redirect body.
Note on submission channel:
I initially attempted to submit this issue through Shopware’s official security reporting form. The form backend returned HTTP 400 for normal submissions, and when an attachment was included it explicitly rejected .md, .py, .zip files with the message File type not allowed. Because the official form was not functioning correctly for me, I am submitting this report privately through GitHub’s vulnerability reporting flow.
Impact
The demonstrated impact is that an unauthenticated attacker can cause a trusted Shopware endpoint to emit arbitrary redirect targets chosen through the request's Referer header. In the minimum case, that enables standard open redirect abuse for phishing, brand impersonation, and redirect chaining through a legitimate application origin. Because the redirect is served from /api/oauth/sso/auth, the resulting URL can look more trustworthy than a generic off-site redirect and may be more likely to be followed by users or client software that expects the endpoint to participate in an authentication flow.
The validated evidence also shows that the endpoint does not restrict the redirect target to ordinary web URLs. It reflects javascript:alert(1) directly into Location and into the HTML redirect page. This report keeps the claim conservative and classifies the issue as an open redirect with arbitrary redirect targets, but the acceptance of dangerous schemes makes the behavior more severe than a simple same-browser redirect to another HTTPS site and increases the risk of downstream abuse depending on client behavior.
Untrusted input controls a URL used for redirection, which can forward users to attacker-controlled sites. Typical impact: phishing and credential harvesting via a trusted domain.
CVE-2026-48012 has a CVSS score of 4.3 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (6.7.10.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
shopware/core to 6.7.10.1 or later; shopware/platform to 6.7.10.1 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-48012? CVE-2026-48012 is a medium-severity open redirect vulnerability in shopware/core (composer), affecting versions >= 6.7.3.0, < 6.7.10.1. It is fixed in 6.7.10.1. Untrusted input controls a URL used for redirection, which can forward users to attacker-controlled sites.
- How severe is CVE-2026-48012? CVE-2026-48012 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by CVE-2026-48012?
shopware/core(composer) (versions >= 6.7.3.0, < 6.7.10.1)shopware/platform(composer) (versions >= 6.7.3.0, < 6.7.10.1)
- Is there a fix for CVE-2026-48012? Yes. CVE-2026-48012 is fixed in 6.7.10.1. Upgrade to this version or later.
- Is CVE-2026-48012 exploitable, and should I be worried? Whether CVE-2026-48012 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-48012 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-48012?
- Upgrade
shopware/coreto 6.7.10.1 or later - Upgrade
shopware/platformto 6.7.10.1 or later
- Upgrade