Shopware Platform: Privilege Escalation via Sync API Bypass
A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API (POST /api/_action/sync).
What changed
A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API (POST /api/_action/sync). The regular integration endpoint correctly blocks this, but the Sync API bypasses the controller-level check by writing directly through the DAL EntityWriter.
Who it affects
All Shopware instances where non-admin API users have the integration:create ACL privilege.
What to do today
Apply the remediation by adding WriteProtection(Context::SYSTEM_SCOPE) to the admin field in IntegrationDefinition.php, or restrict the integration:create ACL to trusted users only.