CVE-2026-48014

MEDIUMPre-NVD 6.56.5
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 87% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
6.5
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 6.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Shopware: Admin API ACL Bypass in Order State Transition Endpoints

Summary

This is a vertical authorization bypass in the Admin API affecting order state transition features (/api/_action/order/{orderId}/state/{transition} and similar transaction/delivery transition routes). The root cause is that the transition action routes do not declare required server-side ACL privileges, allowing low-privileged users to pass the authorization boundary. As a result, authenticated users without order:update can still change order states, causing real security impact such as operational integrity loss, automation workflow misuse, and fulfillment/settlement/support process disruption.

Description

Shopware’s permission model requires server-side enforcement independent of UI guards. However, the dedicated order-state transition action endpoints are missing ACL metadata, so accounts without regular order update privileges can still submit transition requests that are processed by the backend. In real reproduction, the same low-privileged account receives 403 on the normal order update API, while the transition action API succeeds with 200 and updates order state in the database. The key point is that reproduction is possible through direct API calls regardless of UI access restrictions or hidden buttons. This is not a functional edge case; it is an implementation gap in authorization boundaries that enables privilege escalation behavior where a “read/limited-edit” user can control order lifecycle states.

Expected Behavior

  • Order, order-transaction, and order-delivery transition endpoints must perform explicit server-side ACL checks.
  • Requests should be rejected unless the caller has the proper entity update privileges, such as order:update, order_transaction:update, or order_delivery:update.
  • If an account gets 403 on the normal order update API, transition actions on the same protected resource should also be blocked by equivalent policy.
  • Even if transition internals use SYSTEM_SCOPE, caller authorization must be validated before entering the transition execution path.

Root Cause

File: src/Core/Checkout/Order/Api/OrderActionController.php

#[Route(
    path: '/api/_action/order/{orderId}/state/{transition}',
    name: 'api.action.order.state_machine.order.transition_state',
    methods: [Request::METHOD_POST]
)]
public function orderStateTransition(
    string $orderId,
    string $transition,
    Request $request,
    Context $context
): JsonResponse {
    $toPlace = $this->orderService->orderStateTransition(
        $orderId,
        $transition,
        $request->request,
        $context
    );

return new JsonResponse($toPlace->jsonSerialize()); }

This route exposes state transitions but forwards user-controlled inputs (orderId, transition) into the service layer without PlatformRequest::ATTRIBUTE_ACL and without an explicit context->isAllowed(...) privilege check. An untrusted caller can directly control the transition target.

File: src/Core/Framework/Api/Acl/AclAnnotationValidator.php

$privileges = $request->attributes->get(PlatformRequest::ATTRIBUTE_ACL);

if (!$privileges) { return; }

If route ACL metadata is absent, ACL validation exits immediately. Therefore these action routes skip authorization validation entirely.

File: src/Core/System/StateMachine/StateMachineRegistry.php

public function transition(Transition $transition, Context $context): StateMachineStateCollection
{
    return $context->scope(Context::SYSTEM_SCOPE, function (Context $context) use ($transition): StateMachineStateCollection {
        // ...
        $this->stateMachineHistoryRepository->create([$stateMachineHistoryEntity], $context);
        $repository->upsert($data, $context);
        // ...
    });
}

Transitions run in SYSTEM_SCOPE and persist state/history with system context. This requires strict pre-authorization at the route/controller boundary, but that pre-check is missing, so low-privileged calls still lead to real state changes.

Impact

The precondition is a remotely reachable authenticated low-privileged Admin API user (for example, operator/support account, or a compromised restricted account). The attacker only needs a valid order identifier, then calls transition action endpoints to cancel/reopen/advance order states without intended update privileges. This attack remains feasible even when UI access is restricted, because direct API calls still work. As a result, business workflows can be manipulated: order lifecycle integrity is broken, payment/shipping/document/notification/automation flows can be triggered incorrectly, and operational disruption can follow. In realistic scenarios, an attacker with a restricted account can mass-cancel or selectively alter orders, causing customer-support spikes, settlement inconsistencies, fulfillment mistakes, and practical availability degradation of day-to-day operations.

Patch Recommendation

  • Add explicit ACL requirements to order/order-transaction/order-delivery transition routes in OrderActionController, aligned with entity update privileges.
  • Centralize server-side privilege checks at transition entry points so transition paths and normal update paths follow consistent authorization policy.
  • Keep SYSTEM_SCOPE writes strictly behind authorization gates; ensure caller privilege decisions are completed in pre-check logic before transition execution.
  • Review transition-related APIs to guarantee privilege model mapping (order:*, order_transaction:*, order_delivery:*) is consistently enforced and no unprotected route remains.

CVSS v3
6.5
EG Score
6.5(low)
EPSS
12.8%
KEV
Not listed

Published

June 4, 2026

Last Modified

June 4, 2026

Vendor Advisories for CVE-2026-48014(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(2 across 1 ecosystem)
Packagist(2)
PackageVulnerable rangeFixed inDependents
shopware/core6.3.0.0 ... v6.6.9.0 (166 versions)6.6.10.18
shopware/platform6.3.0.0 ... v6.6.9.0 (166 versions)6.6.10.18

Data Freshness Timeline

(refreshed 3× in last 7d / 24× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-11 11:49 UTCEG score recompute
  2. 2026-07-08 09:34 UTCEG score recompute
  3. 2026-07-06 02:20 UTCEG score recompute
  4. 2026-07-03 02:12 UTCEG score recompute
  5. 2026-07-02 00:22 UTCEG score recompute
  6. 2026-06-30 22:30 UTCEG score recompute
  7. 2026-06-29 20:40 UTCEG score recompute
  8. 2026-06-28 18:50 UTCEG score recompute
  9. 2026-06-27 17:00 UTCEG score recompute
  10. 2026-06-26 14:55 UTCEG score recompute
  11. 2026-06-25 10:50 UTCEG score recompute
  12. 2026-06-24 08:59 UTCEG score recompute
  13. 2026-06-23 01:54 UTCEG score recompute
  14. 2026-06-19 23:48 UTCEG score recompute
  15. 2026-06-18 21:21 UTCEG score recompute
  16. 2026-06-17 18:18 UTCEG score recompute
  17. 2026-06-16 16:26 UTCEG score recompute
  18. 2026-06-15 14:35 UTCEG score recompute
  19. 2026-06-14 23:18 UTCEPSS rescore
  20. 2026-06-14 12:41 UTCEG score recompute
  21. 2026-06-13 23:00 UTCEPSS rescore
  22. 2026-06-13 10:51 UTCEG score recompute
  23. 2026-06-12 23:12 UTCEPSS rescore
  24. 2026-06-12 08:59 UTCEG score recompute
  25. 2026-06-11 07:09 UTCEG score recompute
Show 6 more
  1. 2026-06-10 05:19 UTCEG score recompute
  2. 2026-06-09 03:30 UTCEG score recompute
  3. 2026-06-08 01:39 UTCEG score recompute
  4. 2026-06-06 23:50 UTCEG score recompute
  5. 2026-06-05 22:00 UTCEG score recompute
  6. 2026-06-04 20:10 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-48014?
CVE-2026-48014 is a medium vulnerability published on June 4, 2026. Shopware: Admin API ACL Bypass in Order State Transition Endpoints Summary This is a vertical authorization bypass in the Admin API affecting order state transition features (/api/_action/order/{orderId}/state/{transition} and similar transaction/delivery transition routes). The root cause is that…
When was CVE-2026-48014 disclosed?
CVE-2026-48014 was first published in the National Vulnerability Database on June 4, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-48014 actively exploited?
CVE-2026-48014 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 12.8% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-48014?
CVE-2026-48014 has a CVSS v4.0 base score of 6.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-48014?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48014, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-48014

Explore →

Is Your Infrastructure Affected by CVE-2026-48014?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.