PatchSiren cyber security CVE debrief
CVE-2026-47741 shopperlabs CVE debrief
A race condition in Shopper's order creation logic allowed discount codes to be redeemed beyond their configured usage limits. The vulnerability existed in CreateOrderFromCartAction::execute, which persisted the Order record before atomically checking and incrementing the discount's total_use counter. Under concurrent checkout load—such as during flash sales or viral coupon events—multiple requests could pass the usage check simultaneously, resulting in orders committed with full discount application while the counter remained capped at usage_limit. The merchant received no indication of over-redemption. This is classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization). The issue was resolved in version 2.8.0 by restructuring the transaction boundary to ensure atomic validation of discount availability before order persistence.
- Vendor
- shopperlabs
- Product
- shopper
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
E-commerce operators using Shopper for headless commerce; finance and fraud teams monitoring promotional discount integrity; security engineers assessing transaction-level concurrency controls in order management systems.
Technical summary
The vulnerability is a time-of-check to time-of-use (TOCTOU) race condition in the order creation workflow. CreateOrderFromCartAction::execute committed the Order row to the database prior to validating and incrementing the associated discount's total_use counter. Under concurrent request scenarios, multiple threads could observe total_use < usage_limit, proceed with order creation, and apply the discount, but only one increment would succeed—leaving other orders with unauthorized discount application. The fix in 2.8.0 reorders operations to validate and reserve discount capacity atomically before order persistence.
Defensive priority
medium
Recommended defensive actions
- Upgrade Shopper to version 2.8.0 or later to obtain the atomic transaction fix for discount validation
- Review historical order data for discount codes with usage_limit constraints to identify potential over-redemption incidents during high-traffic periods
- Implement monitoring on discount total_use counters to detect anomalous patterns suggesting race condition exploitation
- Ensure database transaction isolation levels are appropriately configured for checkout operations to prevent similar TOCTOU vulnerabilities
- Audit custom order creation workflows for similar sequencing issues where business logic validation follows data persistence
Evidence notes
The CVE description and NVD metadata confirm the vulnerability mechanism: non-atomic order creation and discount counter increment. GitHub issue 510 and pull request 511 document the reported behavior and fix. GitHub Security Advisory GHSA-9rh9-hf3w-9fgg provides vendor acknowledgment. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N yields score 5.9 (Medium), reflecting high attack complexity and integrity impact from unauthorized discount application.
Official resources
2026-05-29