CVE-2026-48014

CVE-2026-48014 is a medium-severity missing authorization vulnerability in shopware/platform (composer), affecting versions >= 6.7.0.0, < 6.7.10.1. It is fixed in 6.7.10.1, 6.6.10.18.

Summary

This is a vertical authorization bypass in the Admin API affecting order state transition features (/api/_action/order/{orderId}/state/{transition} and similar transaction/delivery transition routes). The root cause is that the transition action routes do not declare required server-side ACL privileges, allowing low-privileged users to pass the authorization boundary. As a result, authenticated users without order:update can still change order states, causing real security impact such as operational integrity loss, automation workflow misuse, and fulfillment/settlement/support process disruption.

Description

Shopware’s permission model requires server-side enforcement independent of UI guards. However, the dedicated order-state transition action endpoints are missing ACL metadata, so accounts without regular order update privileges can still submit transition requests that are processed by the backend. In real reproduction, the same low-privileged account receives 403 on the normal order update API, while the transition action API succeeds with 200 and updates order state in the database. The key point is that reproduction is possible through direct API calls regardless of UI access restrictions or hidden buttons. This is not a functional edge case; it is an implementation gap in authorization boundaries that enables privilege escalation behavior where a “read/limited-edit” user can control order lifecycle states.

Expected Behavior

  • Order, order-transaction, and order-delivery transition endpoints must perform explicit server-side ACL checks.
  • Requests should be rejected unless the caller has the proper entity update privileges, such as order:update, order_transaction:update, or order_delivery:update.
  • If an account gets 403 on the normal order update API, transition actions on the same protected resource should also be blocked by equivalent policy.
  • Even if transition internals use SYSTEM_SCOPE, caller authorization must be validated before entering the transition execution path.

Root Cause

File: src/Core/Checkout/Order/Api/OrderActionController.php

#[Route(
    path: '/api/_action/order/{orderId}/state/{transition}',
    name: 'api.action.order.state_machine.order.transition_state',
    methods: [Request::METHOD_POST]
)]
public function orderStateTransition(
    string $orderId,
    string $transition,
    Request $request,
    Context $context
): JsonResponse {
    $toPlace = $this->orderService->orderStateTransition(
        $orderId,
        $transition,
        $request->request,
        $context
    );

    return new JsonResponse($toPlace->jsonSerialize());
}

This route exposes state transitions but forwards user-controlled inputs (orderId, transition) into the service layer without PlatformRequest::ATTRIBUTE_ACL and without an explicit context->isAllowed(...) privilege check. An untrusted caller can directly control the transition target.

File: src/Core/Framework/Api/Acl/AclAnnotationValidator.php

$privileges = $request->attributes->get(PlatformRequest::ATTRIBUTE_ACL);

if (!$privileges) {
    return;
}

If route ACL metadata is absent, ACL validation exits immediately. Therefore these action routes skip authorization validation entirely.

File: src/Core/System/StateMachine/StateMachineRegistry.php

public function transition(Transition $transition, Context $context): StateMachineStateCollection
{
    return $context->scope(Context::SYSTEM_SCOPE, function (Context $context) use ($transition): StateMachineStateCollection {
        // ...
        $this->stateMachineHistoryRepository->create([$stateMachineHistoryEntity], $context);
        $repository->upsert($data, $context);
        // ...
    });
}

Transitions run in SYSTEM_SCOPE and persist state/history with system context. This requires strict pre-authorization at the route/controller boundary, but that pre-check is missing, so low-privileged calls still lead to real state changes.

Patch Recommendation

  • Add explicit ACL requirements to order/order-transaction/order-delivery transition routes in OrderActionController, aligned with entity update privileges.
  • Centralize server-side privilege checks at transition entry points so transition paths and normal update paths follow consistent authorization policy.
  • Keep SYSTEM_SCOPE writes strictly behind authorization gates; ensure caller privilege decisions are completed in pre-check logic before transition execution.
  • Review transition-related APIs to guarantee privilege model mapping (order:*, order_transaction:*, order_delivery:*) is consistently enforced and no unprotected route remains.

Impact

The precondition is a remotely reachable authenticated low-privileged Admin API user (for example, operator/support account, or a compromised restricted account). The attacker only needs a valid order identifier, then calls transition action endpoints to cancel/reopen/advance order states without intended update privileges. This attack remains feasible even when UI access is restricted, because direct API calls still work. As a result, business workflows can be manipulated: order lifecycle integrity is broken, payment/shipping/document/notification/automation flows can be triggered incorrectly, and operational disruption can follow. In realistic scenarios, an attacker with a restricted account can mass-cancel or selectively alter orders, causing customer-support spikes, settlement inconsistencies, fulfillment mistakes, and practical availability degradation of day-to-day operations.

The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.

CVE-2026-48014 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (6.7.10.1, 6.6.10.18); upgrading removes the vulnerable code path.

Affected versions

shopware/platform (>= 6.7.0.0, < 6.7.10.1) shopware/platform (< 6.6.10.18) shopware/core (>= 6.7.0.0, < 6.7.10.1) shopware/core (< 6.6.10.18)

Security releases

shopware/platform → 6.7.10.1 (composer) shopware/platform → 6.6.10.18 (composer) shopware/core → 6.7.10.1 (composer) shopware/core → 6.6.10.18 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

shopware/platform to 6.7.10.1 or later; shopware/platform to 6.6.10.18 or later; shopware/core to 6.7.10.1 or later; shopware/core to 6.6.10.18 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-48014? CVE-2026-48014 is a medium-severity missing authorization vulnerability in shopware/platform (composer), affecting versions >= 6.7.0.0, < 6.7.10.1. It is fixed in 6.7.10.1, 6.6.10.18. The application does not perform an authorization check before performing a sensitive operation.
  2. How severe is CVE-2026-48014? CVE-2026-48014 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2026-48014?
    • shopware/platform (composer) (versions >= 6.7.0.0, < 6.7.10.1)
    • shopware/core (composer) (versions >= 6.7.0.0, < 6.7.10.1)
  4. Is there a fix for CVE-2026-48014? Yes. CVE-2026-48014 is fixed in 6.7.10.1, 6.6.10.18. Upgrade to this version or later.
  5. Is CVE-2026-48014 exploitable, and should I be worried? Whether CVE-2026-48014 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-48014 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-48014?
    • Upgrade shopware/platform to 6.7.10.1 or later
    • Upgrade shopware/platform to 6.6.10.18 or later
    • Upgrade shopware/core to 6.7.10.1 or later
    • Upgrade shopware/core to 6.6.10.18 or later

Other vulnerabilities in shopware/platform

CVE-2026-48013CVE-2026-48015CVE-2026-48016CVE-2026-48014CVE-2026-48012

Stop the waste.
Protect your environment with Kodem.