PatchSiren cyber security CVE debrief
CVE-2026-47744 shopperlabs CVE debrief
CVE-2026-47744 documents two authorization defects in Shopper, a headless e-commerce admin panel, that allow authenticated users to escalate privileges and compromise the entire RBAC system. The first defect affects Settings/Team/Index, which lacked mount() authorization checks. Any authenticated user could load this page and invoke its public actions to create new roles and delete other users, including administrators. The second defect involves Settings/Team/RolePermission, which gated write actions on the read-only view_users permission rather than a write permission. Any user with view_users could grant themselves or others arbitrary permissions, including manage_users and edit_orders, effectively achieving full administrative access from a read-only account. Combined, these defects enable a low-privilege authenticated user to obtain administrator privileges and remove legitimate administrators. The vulnerability is fixed in version 2.8.0.
- Vendor
- shopperlabs
- Product
- shopper
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations operating Shopper e-commerce admin panels, particularly those with multi-user environments where non-administrative staff have authenticated access. Security teams responsible for RBAC implementation review and privilege escalation detection. Developers maintaining Shopper deployments or forks with custom authorization logic.
Technical summary
The vulnerability stems from two distinct authorization failures in Shopper's team management functionality. The Settings/Team/Index component lacked mount() authorization, exposing public actions for role creation and user deletion to any authenticated session. The Settings/Team/RolePermission component incorrectly gated write operations on view_users, a read-only permission, allowing permission self-granting. The attack chain requires only authenticated access—no elevated privileges initially—and enables complete administrative takeover including removal of existing administrators. The fix in 2.8.0 addresses both authorization gaps.
Defensive priority
CRITICAL
Recommended defensive actions
- Upgrade Shopper to version 2.8.0 or later to remediate both authorization defects.
- Review and audit all user roles and permissions in affected installations prior to 2.8.0 to identify potential unauthorized privilege grants or user deletions.
- Implement additional authorization checks at the application gateway or WAF layer for administrative endpoints pending upgrade.
- Review access logs for Settings/Team/Index and Settings/Team/RolePermission endpoints for unauthorized access patterns from non-administrative accounts.
- Validate that custom RBAC implementations or extensions do not replicate the same authorization logic errors.
Evidence notes
The CVE description identifies two specific authorization failures: missing mount() authorization on Settings/Team/Index and improper permission gating on Settings/Team/RolePermission. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and high impacts across confidentiality, integrity, and availability. CWE-269 (Improper Privilege Management) and CWE-285 (Improper Authorization) are cited as weakness classifications. The advisory source is GitHub Security Advisories.
Official resources
-
CVE-2026-47744 CVE record
CVE.org
-
CVE-2026-47744 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29