php · shopware/platformHeads-up
shopware/platform: Missing ACL checks on order state transition endpoints
Order state transition endpoints in the Admin API are missing ACL privilege checks, allowing low-privileged users to change order states without proper authoriz
What changed
Order state transition endpoints in the Admin API are missing ACL privilege checks, allowing low-privileged users to change order states without proper authorization.
Who it affects
All Shopware instances with authenticated Admin API users, especially those with low-privileged accounts (e.g., operator/support roles).
What to do today
Apply the patch that adds explicit ACL requirements to transition routes in OrderActionController, or manually restrict access to these endpoints until a fix is deployed.
The trail
Collected→
Audited→
Written→
Published