A vulnerability was found in Shopware. It has been rated as critical. Affected by this issue is some unknown functionality of the file src/Core/Checkout/Payment/SalesChannel/HandlePaymentMethodRoute.php of the component Store API Endpoint. This manipulation of the argument orderId causes improper authentication.

This vulnerability is tracked as CVE-2026-48016. The attack is possible to be carried out remotely. No exploit exists.