GHSA-r2vg-hvjm-fg38: 
PHP vulnerability analysis and mitigation

A vulnerability (GHSA-r2vg-hvjm-fg38) was discovered in Shopware's order cancellation functionality affecting versions >= 6.7.0.0, < 6.7.3.1 and < 6.6.10.7 of shopware/platform and shopware/core packages. The vulnerability allows customers to cancel their orders through custom-crafted requests even when the refund functionality is disabled in the system settings. This security issue was disclosed on October 21, 2025, and has been assigned a moderate severity rating with a CVSS score of 4.3 (GitHub Advisory).

The vulnerability stems from a missing authorization check in the CancelOrderRoute class. While the administration setting 'core.cart.enableOrderRefunds' controls the visibility of the cancellation button in the user interface, the backend route does not verify this setting before processing cancellation requests. The issue affects the endpoint '/store-api/order/state/cancel' which processes order cancellation requests. The vulnerability has been assigned a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility with low attack complexity and required privileges (GitHub Advisory).

The vulnerability allows authenticated customers to bypass the system's refund settings and cancel their orders even when this functionality is explicitly disabled by the store administrator. This could lead to unauthorized order cancellations and potential business process disruptions (GitHub Advisory).

The vulnerability has been patched in versions 6.7.3.1 and 6.6.10.7 of both shopware/platform and shopware/core packages. The fix implements a proper authorization check in the CancelOrderRoute class to verify that the refund feature is enabled before processing cancellation requests. Users are advised to upgrade to the patched versions (GitHub Advisory, Shopware Commit).