CVE-2026-31887 is an authorization bypass vulnerability identified in the core of Shopware, an open commerce platform widely used for e-commerce solutions. The vulnerability exists in versions >= 6.7.0.0 and < 6.7.8.1, as well as versions prior to 6.6.10.15. It arises due to insufficient validation of filter types applied to unauthenticated customers when accessing the store-api.order endpoint, which supports deepLinkCode functionality. This endpoint is intended to allow customers to retrieve their own orders securely; however, the flawed authorization logic allows attackers to manipulate filter parameters to access orders belonging to other customers without authentication. The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating a failure to enforce proper access controls. The CVSS 4.0 base score is 8.9 (high), reflecting the vulnerability's network attack vector, low attack complexity, no required privileges or user interaction, and a high impact on confidentiality. The vulnerability does not affect integrity or availability but compromises sensitive customer order data. No public exploits have been reported yet, but the flaw's nature makes it a critical privacy risk. The vendor has addressed the issue in versions 6.7.8.1 and 6.6.10.15 by implementing stricter authorization checks on the filter parameters to ensure only authorized users can access order information.

The primary impact of CVE-2026-31887 is the unauthorized disclosure of customer order information, which can include personal data, purchase history, and potentially payment details depending on the Shopware configuration. This breach of confidentiality can lead to privacy violations, regulatory non-compliance (such as GDPR), reputational damage, and loss of customer trust for affected organizations. Attackers exploiting this vulnerability can harvest sensitive data without authentication, increasing the risk of identity theft, targeted phishing, and fraud. Since the vulnerability affects e-commerce platforms, it can disrupt business operations by undermining customer confidence and triggering legal consequences. Although the vulnerability does not directly affect system integrity or availability, the exposure of sensitive data alone is sufficient to cause significant harm to organizations worldwide that rely on Shopware for their online storefronts.

Organizations using Shopware versions prior to 6.7.8.1 or 6.6.10.15 should immediately upgrade to the patched versions to remediate this vulnerability. In addition to patching, administrators should audit access logs for unusual or unauthorized access patterns to the store-api.order endpoint. Implementing Web Application Firewalls (WAFs) with rules to detect and block anomalous API requests targeting order retrieval endpoints can provide temporary protection. Restricting API access to authenticated users where feasible and enforcing strict input validation on filter parameters can reduce exploitation risk. Regularly reviewing and hardening access control policies within Shopware configurations is recommended. Organizations should also ensure compliance with data protection regulations by promptly addressing any data exposure incidents and notifying affected customers as required.