Shopware Customer Orders can be canceled, even if refunds are disabled

Refunds in general can be enabled through the administration setting core.cart.enableOrderRefunds (in the cart panel).Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route (and also not in the controller): https://github.com/shopware/shopware/blob/trunk/src/Storefront/Controller/AccountOrderController.php#L98 https://github.com/shopware/shopware/blob/trunk/src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php

To mitigate this, a check should be added to the CancelOrderRoute which verifies that the feature is enabled.

Published: Oct 21, 2025
Updated: Oct 22, 2025
GHSA: GHSA-r2vg-hvjm-fg38
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
shopware / platform	6.7.0.0	6.7.3.1
shopware / platform	-	6.6.10.7
shopware / core	6.7.0.0	6.7.3.1
shopware / core	-	6.6.10.7

Vulnerability Database

Shopware Customer Orders can be canceled, even if refunds are disabled

Deep Security Visibility Without the Complexity