GHSA-r2vg-hvjm-fg38: 
PHP vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-r2vg-hvjm-fg38) was identified in Shopware's order management system, affecting versions >= 6.7.0.0, < 6.7.3.1 and < 6.6.10.7 of both shopware/core and shopware/platform packages. The vulnerability was discovered and disclosed on October 21, 2025, allowing customers to cancel their orders even when the refund functionality is explicitly disabled through administrative settings (GitHub Advisory).

The vulnerability stems from a missing authorization check in the order cancellation route. While the administration setting 'core.cart.enableOrderRefunds' controls the visibility of the refund button in the cart panel, the actual route and controller logic (AccountOrderController and CancelOrderRoute) do not verify this setting. The vulnerability has been assigned a CVSS score of 4.3 (Moderate) with the following metrics: Network attack vector, Low attack complexity, Low privileges required, No user interaction needed, Unchanged scope, No impact on confidentiality, Low impact on integrity, and No impact on availability (GitHub Advisory).

The vulnerability allows customers to bypass the administrative controls for order cancellation. Even when refunds are explicitly disabled through the administration panel, customers can submit custom-crafted requests to cancel their orders, potentially disrupting order management and business processes (GitHub Advisory).

The vulnerability has been patched in versions 6.7.3.1 and 6.6.10.7 of both shopware/core and shopware/platform packages. The fix implements a proper authorization check in the CancelOrderRoute to verify that the refund feature is enabled before processing cancellation requests (GitHub Advisory).