GHSA-r2vg-hvjm-fg38: Shopware Customer Orders can be canceled, even if refunds are disabled

October 21, 2025

Refunds in general can be enabled through the administration setting core.cart.enableOrderRefunds (in the cart panel).Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route (and also not in the controller): https://github.com/shopware/shopware/blob/trunk/src/Storefront/Controller/AccountOrderController.php#L98 https://github.com/shopware/shopware/blob/trunk/src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php

To mitigate this, a check should be added to the CancelOrderRoute which verifies that the feature is enabled.

References

Code Behaviors & Features

Detect and mitigate GHSA-r2vg-hvjm-fg38 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →