CVE-2026-31888 is an information disclosure vulnerability classified under CWE-204 (Observable Response Discrepancy) affecting the Shopware open commerce platform. Specifically, the Store API login endpoint (POST /store-api/account/login) prior to versions 6.7.8.1 and 6.6.10.15 returns distinct error responses based on whether the submitted email address corresponds to a registered customer or not. When an attacker submits a login request with an unregistered email, the API responds with a 'CHECKOUT__CUSTOMER_NOT_FOUND' error and echoes the probed email address in the response. Conversely, for registered emails with incorrect credentials, it returns 'CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS'. This discrepancy enables unauthenticated attackers to enumerate valid customer accounts by analyzing response differences, facilitating targeted phishing, credential stuffing, or social engineering attacks. The storefront login controller correctly unifies error responses to prevent such enumeration, but the Store API's inconsistent handling reveals this information leak. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 5.3 (medium), reflecting low impact on confidentiality (only account existence disclosure), no impact on integrity or availability, and ease of exploitation. The issue is resolved in Shopware versions 6.7.8.1 and 6.6.10.15 by standardizing error responses to avoid revealing account existence information.

The primary impact of CVE-2026-31888 is information disclosure through account enumeration. Attackers can identify valid customer email addresses on affected Shopware installations, which can be leveraged for targeted phishing campaigns, social engineering, or credential stuffing attacks using leaked or commonly used passwords. While the vulnerability does not directly compromise account credentials or system integrity, the leaked information lowers the attacker's effort and increases the likelihood of successful subsequent attacks. For e-commerce platforms relying on Shopware, this can lead to reputational damage, customer trust erosion, and potential financial losses if attackers exploit enumerated accounts. Additionally, attackers may use enumerated emails to craft convincing spear-phishing emails or attempt account takeover attacks. The vulnerability affects all organizations using vulnerable Shopware core versions worldwide, especially those with large customer bases or sensitive customer data. No direct availability or data integrity impact is present, but the indirect risks to confidentiality and customer security are significant.

To mitigate CVE-2026-31888, organizations should promptly upgrade Shopware core to versions 6.7.8.1 or 6.6.10.15 or later, where the vulnerability is fixed by unifying error responses in the Store API login endpoint. Until upgrades can be applied, administrators can implement the following specific mitigations: 1) Introduce custom middleware or API gateway rules to normalize error responses from the Store API login endpoint, ensuring identical responses regardless of email validity. 2) Implement rate limiting and IP throttling on login attempts to reduce the feasibility of large-scale enumeration attacks. 3) Monitor logs for unusual login request patterns indicative of enumeration attempts. 4) Educate customers about phishing risks and encourage strong, unique passwords and multi-factor authentication where supported. 5) Consider deploying Web Application Firewalls (WAFs) with rules to detect and block enumeration behavior targeting the Store API. These targeted measures complement the essential upgrade to patched Shopware versions to fully remediate the vulnerability.