Shopware 6's password recovery link does not expire after email change
Summary
When a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email) remains valid. An attacker with access to the old email inbox is potentially able to reset the customer’s password even after the user changes their email address.
PoC
- Log in to a Shopware account.
- Request a password reset for your current email address.
- Copy the password reset link but do not open it.
- Log back into your account.n
- Navigate to Account Settings → Email and change your email address.
- Use the previously copied reset link (from before the email change).
- The system allows password change using the old link.
Impact
Reproduced on Stable 6.6.10.7 and trunk.
| Software | From | Fixed in |
|---|---|---|
shopware / core
|
- | 6.6.10.9 |
|
shopware / core
|
6.7.0.0 | 6.7.4.1 |
- https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13
- https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52
- https://github.com/shopware/shopware/releases/tag/v6.6.10.9
- https://github.com/shopware/shopware/releases/tag/v6.7.0.0
- https://github.com/shopware/shopware/releases/tag/v6.7.4.1
- https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime