Shopware Broken ACL on Document retrieval to access other customers documents

Impact

It's possible to guess the deepLinkCode of an Document to open documents of other customers

Patches

Update to Shopware 6.6.10.3 or 6.5.8.17

Workarounds

For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Published: Apr 8, 2025
Updated: Apr 30, 2025
GHSA: GHSA-68wv-g3fw-pq7q
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
shopware / core	6.6.0.0	6.6.10.3
shopware / platform	6.6.0.0	6.6.10.3
shopware / core	6.7.0.0-rc1	6.7.0.0-rc2
shopware / platform	6.7.0.0-rc1	6.7.0.0-rc2
shopware / core	-	6.5.8.17
shopware / platform	-	6.5.8.17

https://github.com/shopware/shopware/releases/tag/v6.5.8.17
https://github.com/shopware/shopware/releases/tag/v6.6.10.3
https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2
https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q

Vulnerability Database

290,020

Shopware Broken ACL on Document retrieval to access other customers documents

Impact

Patches

Workarounds