php · shopware/platformCritical

shopware/platform: Non-admin users can escalate to admin via UserController::upsertUser()

UserController::upsertUser() writes user data in SYSTEM_SCOPE and does not filter the admin field, allowing non-admin API users with user:create or user:update

09 Jun 2026Read 1 minSeverity: act now

What changed

UserController::upsertUser() writes user data in SYSTEM_SCOPE and does not filter the admin field, allowing non-admin API users with user:create or user:update ACL permission to set admin: true on new or existing users.

Who it affects

Any API user with user:create or user:update ACL permission can escalate to full admin access.

What to do today

Apply the suggested fix: add an isAdmin() check from IntegrationController to UserController::upsertUser() to prevent setting admin field without admin privileges.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · shopware/platform

shopware/platform: Non-admin users can escalate to admin via UserController::upsertUser()

What changed

Who it affects

What to do today

More on shopware/platform

symfony/runtime: Incomplete CVE-2024-50340 fix allows argv injection via web SAPI

pheditor: OS Command Injection in Terminal Handler