Public March 11, 2026
Shopware Store API Login Responses Enable User Enumeration
BugBunny.ai found that Shopware returned different error responses for unknown users and valid users with the wrong password on the Store API login endpoint. That difference lets unauthenticated attackers verify whether a customer account exists before attempting phishing or credential stuffing.
TL;DR
Unauthenticated attackers can confirm whether a target email address is registered as a Shopware customer.
Distinct 401 error codes and reflected email data on POST /store-api/account/login.
shopware/core and shopware/platform releases prior to the March 2026 fixes.
Published and fixed in Shopware 6.7.8.1 / 6.6.10.15.
Root Cause
The Store API login route allowed CustomerNotFoundException and BadCredentialsException to propagate as different serialized API responses. Unknown users received CHECKOUT__CUSTOMER_NOT_FOUND while real users with the wrong password received CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS.
Shopware already handled this case safely in the storefront controller by normalizing both exceptions. The Store API path skipped that normalization, so the API leaked account existence even though the application clearly had the correct defensive pattern elsewhere.
Product
Shopware
Affected
shopware/core >=6.7.0.0 <6.7.8.1 and <6.6.10.15; shopware/platform >=6.7.0.0 <6.7.8.1 and <6.6.10.14
Patched
shopware/core 6.7.8.1 / 6.6.10.15 and shopware/platform 6.7.8.1 / 6.6.10.14
Weaknesses
CWE-204: Observable Response Discrepancy
Mitigation
- Upgrade Shopware core and platform to the patched March 2026 releases.
- Normalize login failures to a single generic response regardless of whether the email exists.
- Review registration and recovery endpoints for similar account-enumeration side channels.
Credits & Disclosure
Published via GitHub Security Advisory GHSA-gqc5-xv7m-gcjq after coordinated disclosure with the Shopware maintainers.