External risk intelligence

Vendure Shop API flaw lets attackers steal customer data or disrupt services.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-40887

An unauthenticated flaw in the Vendure Shop API lets attackers run malicious commands against your database, potentially exposing customer data or disrupting services. This is critical as it affects public-facing commerce operations and all major databases.

5Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-40887

Vendure is a headless commerce platform designed to expose its Shop API to the public internet to facilitate storefront operations for customers. Since the vulnerability exists within this unauthenticated, public-facing API endpoint, the attack surface is exposed by design in standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-40887

Yes

CVE-2026-40887 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

SQL injection in Vendure Shop API allows unauthenticated attackers to execute arbitrary SQL, which is an automatic PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An unauthenticated SQL injection vulnerability in the Vendure Shop API could allow attackers to run arbitrary commands against your database. This issue is critical because it could lead to significant data compromise.

  • Affects unauthenticated access.
  • Could allow database takeover.
  • Impacts all supported databases.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw by sending specially crafted requests to the Vendure Shop API, targeting the `languageCode` parameter. By injecting malicious SQL code, an attacker could gain unauthorized access to sensitive data or disrupt database operations. This vulnerability affects all supported database backends.

  • Unauthenticated API access needed.
  • Shop API `languageCode` parameter targeted.
  • SQL injection allows data exfiltration.

Live Threat

Current exploitation, exposure, and threat context

This SQL injection vulnerability in Vendure's Shop API, affecting versions prior to 2.3.4, 3.5.7, and 3.6.2, presents a significant risk due to its unauthenticated nature and direct impact on database integrity. Attackers are likely to target this because it allows for arbitrary SQL execution without needing any prior access to the system. The vulnerability's presence in a widely used commerce platform's public-facing API further increases its attractiveness for exploitation.

  • Publicly exposed API endpoint.
  • Affects database operations directly.
  • Exploitable without authentication.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking unauthenticated SQL injection in the Vendure Shop API, especially given its public-facing nature and the critical severity of this vulnerability. Investigate logs for signs of exploitation targeting the `languageCode` parameter.

  • Apply Vendure versions 2.3.4, 3.5.7, or 3.6.2.
  • Implement the provided hotfix to validate `languageCode`.
  • Monitor traffic for suspicious SQL query patterns.

Frequently asked questions

What is Vendure and what is it used for?

Vendure is an open-source, headless commerce platform. It allows businesses to build and manage online stores by providing the backend e-commerce functionality, which can then be connected to any desired frontend or customer-facing interface.

What kind of vulnerability does CVE-2026-40887 represent?

CVE-2026-40887 is an SQL injection vulnerability. This weakness occurs when user input is directly included in a database query without proper sanitization, allowing an attacker to manipulate the query and execute arbitrary SQL commands.

How could an attacker exploit the Vendure Shop API flaw?

An attacker could exploit this by sending specially crafted requests to the Vendure Shop API. The vulnerability lies in how the `languageCode` parameter is handled, allowing malicious SQL code to be injected into database queries, potentially leading to data compromise.

Who needs to be concerned about this Vendure vulnerability?

Organizations using Vendure with internet-facing Shop APIs should be concerned. This is because the vulnerability can be exploited without authentication, making any exposed Vendure Shop API a potential target.

What is the first step to address this CVE in Vendure?

The immediate first step is to upgrade to a patched version of Vendure: 2.3.4, 3.5.7, or 3.6.2. If an upgrade is not immediately possible, applying the provided hotfix to validate the `languageCode` input is crucial.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified