CVE-2026-7630: InnoShop Improper Authentication Exposes Installation Endpoint
The National Vulnerability Database has disclosed CVE-2026-7630, a high-severity improper authentication vulnerability in innocommerce InnoShop versions up to 0.7.8. This flaw resides within the InstallServiceProvider::boot function of the innopacks/install/src/InstallServiceProvider.php file, specifically impacting the Installation Endpoint component.
Attackers can remotely exploit this vulnerability due to improper authentication, allowing unauthorized access or manipulation. The exploit code is publicly available, significantly increasing the immediate risk for unpatched systems. A CVSSv3.1 score of 7.3 (High) reflects the severity, with low attack complexity and no user interaction required for exploitation.
Defenders must prioritize patching. The National Vulnerability Database recommends applying the patch identified as 45758e4ec22451ab944ae2ae826b1e70f6450dc9 immediately. This vulnerability, categorized under CWE-287 (Improper Authentication), presents a clear and present danger to affected InnoShop deployments.
What This Means For You
- If your organization uses innocommerce InnoShop up to version 0.7.8, you are directly exposed to CVE-2026-7630. This is not a theoretical threat; the exploit is public. Immediately verify your InnoShop version and apply the patch (`45758e4ec22451ab944ae2ae826b1e70f6450dc9`) to prevent remote exploitation of the installation endpoint. Improper authentication flaws are often gateways to further compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7630: InnoShop Installation Endpoint Access
title: CVE-2026-7630: InnoShop Installation Endpoint Access
id: scw-2026-05-02-ai-1
status: experimental
level: high
description: |
Detects attempts to access the InnoShop installation endpoint, specifically the InstallServiceProvider::boot function, which is vulnerable to improper authentication in versions up to 0.7.8. This rule targets the specific file path and HTTP method used in exploitation.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7630/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/innopacks/install/src/InstallServiceProvider.php'
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7630 | Auth Bypass | innocommerce InnoShop up to 0.7.8 |
| CVE-2026-7630 | Auth Bypass | innopacks/install/src/InstallServiceProvider.php |
| CVE-2026-7630 | Auth Bypass | InstallServiceProvider::boot function |
| CVE-2026-7630 | Auth Bypass | Installation Endpoint component |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 02, 2026 at 17:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
ChatGPTNextWeb NextChat Improper Authorization Vulnerability (CVE-2026-7644)
CVE-2026-7644 — A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads...
CVE-2026-7643 — ChatGPTNextWeb NextChat Vulnerability
CVE-2026-7643 — A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component...
CVE-2026-7642 — Pskill9 Website-Downloader Command Injection
CVE-2026-7642 — A vulnerability was detected in pskill9 website-downloader up to 0.1.0. This affects the function download_website of the file src/index.ts of the component MCP...