php · shopware/platformCritical
Shopware Platform: user_recovery hash exposed via Admin API
The `user_recovery` entity exposes its `hash` field through the Admin API search endpoint (`POST /api/search/user-recovery`), allowing any user with `user_recov
What changed
The `user_recovery` entity exposes its `hash` field through the Admin API search endpoint (`POST /api/search/user-recovery`), allowing any user with `user_recovery:read` ACL to read recovery hashes intended to be secret and delivered only via email.
Who it affects
All Shopware instances where a low-privilege admin user has the `user_recovery:read` ACL permission.
What to do today
Apply the remediation by adding `new ApiAware(false)` to the `hash` field in `src/Core/System/User/Recovery/UserRecoveryDefinition.php` to remove the hash from API responses.
The trail
Collected→
Audited→
Written→
Published