CVE-2026-31888 is an information disclosure vulnerability categorized under CWE-204 (Observable Response Discrepancy) affecting the Shopware open commerce platform's core component. The flaw exists in the Store API login endpoint (POST /store-api/account/login) in versions prior to 6.7.8.1 and 6.6.10.15. When an unauthenticated attacker submits a login request with an email address, the API responds differently depending on whether the email corresponds to a registered customer. If the email is unknown, the API returns a CHECKOUT__CUSTOMER_NOT_FOUND error and echoes the probed email address in the response. If the email is registered, it returns a CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS error without echoing the email. This discrepancy allows attackers to enumerate valid customer accounts by analyzing response codes and content, facilitating targeted phishing, credential stuffing, or further attacks. The storefront login controller correctly unifies error responses to prevent enumeration, but the Store API does not, indicating inconsistent security design. The vulnerability does not require authentication or user interaction and has a CVSS 3.1 base score of 5.3 (medium severity), reflecting its limited impact on confidentiality without affecting integrity or availability. No known exploits have been reported in the wild. The issue is resolved in Shopware versions 6.7.8.1 and 6.6.10.15 by standardizing error responses to prevent information leakage.

The primary impact of CVE-2026-31888 is information disclosure through user enumeration, which can significantly aid attackers in reconnaissance activities. By identifying valid customer email addresses, attackers can launch targeted phishing campaigns, social engineering attacks, or credential stuffing attempts using leaked or commonly used passwords. This can lead to unauthorized account access, data breaches, and reputational damage for affected organizations. Although the vulnerability does not directly compromise system integrity or availability, it lowers the barrier for subsequent attacks that could have more severe consequences. E-commerce platforms relying on Shopware are particularly at risk, as customer trust and data privacy are critical. The vulnerability affects unauthenticated attackers and requires no user interaction, increasing its exploitation potential. Organizations worldwide using vulnerable Shopware versions face increased risk of customer data exposure and related fraud.

To mitigate CVE-2026-31888, organizations should immediately upgrade Shopware core to versions 6.7.8.1 or 6.6.10.15 or later, where the vulnerability is fixed. If immediate patching is not feasible, implement custom middleware or API gateways to normalize error responses from the Store API login endpoint, ensuring that error messages and codes do not differ based on user existence. Avoid echoing user-submitted data in error messages to prevent information leakage. Monitor login endpoints for unusual enumeration patterns, such as repeated login attempts with varying email addresses, and implement rate limiting or IP blocking to hinder automated probing. Educate security teams and developers about consistent error handling practices to prevent similar flaws. Additionally, enforce strong authentication mechanisms, such as multi-factor authentication, to reduce the impact of credential-based attacks facilitated by enumeration. Regularly audit and test APIs for information disclosure vulnerabilities as part of security assessments.