CVE-2026-47740 shopperlabs CVE debrief

Who should care

Organizations operating Shopper-based e-commerce platforms with multi-role admin access, particularly those with read-only staff or external users requiring order visibility. Payment operations teams should prioritize this due to the real funds movement risk from unauthorized capturePayment execution.

Technical summary

The vulnerability exists in the Filament-based admin panel of Shopper, where multiple table actions on Order detail and Order shipments views lacked proper permission enforcement. The Order detail actions (cancel, mark paid, mark complete, capture payment, archive, start processing) required only read_orders permission instead of edit_orders. The Order shipments actions (mark delivered, edit tracking) required only browse_orders permission. This authorization bypass enables read-only users to alter order states and trigger financial transactions. The fix in version 2.8.0 implements proper permission checks on these actions.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Shopper to version 2.8.0 or later to remediate this vulnerability
• Review and audit order action permissions for all authenticated user roles to ensure least-privilege access
• Implement additional authorization checks at the application layer for sensitive order lifecycle operations
• Monitor payment service provider logs for unauthorized capture transactions that may have occurred prior to patching
• Conduct access control review of all Filament table actions within the admin panel to identify similar authorization gaps

Evidence notes

CVE published 2026-05-29T19:16:25.620Z; modified 2026-05-29T20:17:38.110Z. Advisory references GitHub Security Advisory GHSA-f946-9qp6-vgch and pull request #511. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. CWE-285 (Improper Authorization) and CWE-862 (Missing Authorization) identified.

Official resources