CVE-2026-32142 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting Shopware commercial editions. Specifically, the /api/_info/config REST API endpoint in Shopware versions >= 7.0.0 and < 7.8.1, as well as versions prior to 6.10.15, exposes license-related information without requiring any authentication or user interaction. This endpoint leaks sensitive configuration details that could include license keys or other proprietary data. The vulnerability is remotely exploitable over the network with low attack complexity and no privileges required, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N. Although the impact is limited to confidentiality (no integrity or availability impact), the information disclosure could aid attackers in profiling the target environment or crafting more targeted attacks. The vendor has addressed this issue in Shopware versions 7.8.1 and 6.10.15 by restricting access to this endpoint or sanitizing the exposed data. No public exploits have been reported to date, but the vulnerability's presence in widely used e-commerce platforms makes timely patching critical.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive license information, which could facilitate further reconnaissance and targeted attacks against organizations using Shopware commercial editions. While it does not directly compromise system integrity or availability, the leaked information might enable attackers to identify software versions, licensing details, or other configuration data that could be leveraged in social engineering, phishing, or exploitation of other vulnerabilities. For organizations relying on Shopware for e-commerce operations, this could lead to increased risk of fraud, intellectual property theft, or competitive disadvantage. The vulnerability affects all organizations globally that use the affected Shopware versions, especially those with public-facing Shopware APIs. The absence of authentication requirements and ease of exploitation increase the risk of automated scanning and mass reconnaissance campaigns.

Organizations should immediately upgrade affected Shopware commercial installations to version 7.8.1 or 6.10.15 or later, where the vulnerability is fixed. If immediate upgrading is not feasible, administrators should restrict access to the /api/_info/config endpoint via network controls such as firewall rules, IP whitelisting, or API gateway policies to limit exposure to trusted internal users only. Additionally, monitoring and logging access to this endpoint can help detect unauthorized attempts to retrieve sensitive information. Reviewing and minimizing the amount of sensitive data exposed by APIs is recommended as a best practice. Conducting regular vulnerability scans and penetration tests focused on API endpoints will help identify similar issues proactively. Finally, ensure that license keys and sensitive configuration data are stored and transmitted securely, following the principle of least privilege.