CVE-2026-48011: 
PHP Analisi e mitigazione delle vulnerabilità

CVE-2026-48011 is a timing-attack vulnerability in Shopware's admin panel OAuth authentication flow that allows unauthenticated attackers to enumerate valid administrator usernames. The flaw exists in src/Core/Framework/Api/OAuth/UserRepository.php and was discovered by Niel Duysters (@NielDuysters) and Thomas Brankaer (@tbrankaer). Affected versions include shopware/core and shopware/platform >= 6.7.0.0 and < 6.7.10.1, as well as all versions < 6.6.10.18. The advisory was first published May 19, 2026, and added to the GitHub Advisory Database on June 4, 2026. It carries a CVSS v3.1 base score of 3.7 (Low) (GitHub Advisory, Shopware Advisory).

The root cause is an observable timing discrepancy (CWE-208) in the getUserEntityByUserCredentials() method within src/Core/Framework/Api/OAuth/UserRepository.php. When a login request is sent to api/oauth/token, the code takes two distinct execution paths: if the username does not exist, it returns null immediately (PATH 1); if the username exists, it calls PHP's password_verify() with the Argon2id algorithm before returning (PATH 2). Because Argon2id is intentionally computationally expensive, PATH 2 takes measurably longer than PATH 1, allowing an attacker to statistically distinguish valid from invalid usernames by measuring response times. The proposed fix is to always invoke password_verify() against a dummy hash before the early return, ensuring constant-time behavior regardless of username validity (Shopware Advisory, GitHub Advisory).

Successful exploitation allows an unauthenticated remote attacker to enumerate valid administrator usernames on a Shopware instance. While there is no direct integrity or availability impact, the disclosed usernames can significantly lower the barrier for follow-on attacks such as targeted brute-force or dictionary attacks against admin credentials, spear phishing campaigns, and credential stuffing using data from other breaches. The confidentiality impact is limited to username disclosure, but in the context of an e-commerce platform, compromising admin accounts could lead to full store takeover (Shopware Advisory).

Shopware has released patched versions that address this vulnerability by ensuring constant-time behavior in the authentication flow regardless of whether a username exists. Administrators should upgrade shopware/core and shopware/platform to version 6.6.10.18 (for the 6.6.x branch) or 6.7.10.1 (for the 6.7.x branch). As a temporary workaround prior to patching, rate-limiting or IP-based throttling on the api/oauth/token endpoint can increase the difficulty of timing-based enumeration, though upgrading remains the definitive fix (Shopware v6.6.10.18 Release, Shopware v6.7.10.1 Release).