CVE-2026-48010

MEDIUM6.5

Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

發布日:2026/6/4修改日:2026/6/4
也稱為:GHSA-v39m-97p8-gqg7

描述

`UserController::upsertUser()` writes user data in `SYSTEM_SCOPE` and does not filter the `admin` field. A non-admin API user with `user:create` or `user:update` ACL permission can set `admin: true` on new or existing users, escalating to full admin access. ## The Problem In `src/Core/Framework/Api/Controller/UserController.php`, line 210-234: ```php public function upsertUser(?string $userId, Request $request, Context $context, ResponseFactoryInterface $factory): Response { $data = $request->request->all(); // raw request data, no field filtering // ... $events = $context->scope(Context::SYSTEM_SCOPE, fn (Context $context) => $this->userRepository->upsert([$data], $context) ); } ``` `SYSTEM_SCOPE` bypasses `AclWriteValidator` entirely (line 52 of `AclWriteValidator::preValidate()` returns early for `SYSTEM_SCOPE`). The `admin` boolean field is accepted without restriction. Compare with `IntegrationController::upsertIntegration()` in the same codebase, which correctly checks: ```php if ((!$source instanceof AdminApiSource) || (!$source->isAdmin() && isset($data['admin'])) ) { throw new PermissionDeniedException(); } ``` `UserController` is missing this exact check. ## Impact Any API user with the low-privilege `user:create` permission can create accounts with full admin access, or with `user:update` can promote any existing user to admin. This is a direct privilege escalation. ## Suggested Fix Add the same `isAdmin()` check from `IntegrationController`: ```php $source = $context->getSource(); if ((!$source instanceof AdminApiSource) || (!$source->isAdmin() && isset($data['admin']))) { throw new PermissionDeniedException(); } ``` Best regards, Keyvan Hardani

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1MEDIUM6.5CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

參考連結(4)