PatchSiren cyber security CVE debrief
CVE-2026-47745 shopperlabs CVE debrief
CVE-2026-47745 is a broken access control vulnerability in Shopper, a Headless e-commerce Admin Panel. Prior to version 2.8.0, the admin tables for PaymentMethods, Currencies, and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without verifying the corresponding per-action permission. This allows a low-privilege authenticated user to disable all payment methods, alter or disable the default currency, or disable carriers—resulting in full denial of checkout and loss of pricing integrity. The CVSS 3.1 score is 6.5 (Medium), with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N indicating network attack vector, low attack complexity, low privileges required, no user interaction, and high impact to integrity. The weakness is classified as CWE-862 (Missing Authorization). The vulnerability was published on 2026-05-29 and modified the same day. It is not listed in CISA KEV. The fix is available in Shopper version 2.8.0.
- Vendor
- shopperlabs
- Product
- shopper
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running Shopper e-commerce admin panels, particularly those with multi-user access where non-administrative users have panel credentials. E-commerce operators concerned with checkout availability and pricing integrity. Security teams responsible for access control audits in headless commerce platforms.
Technical summary
The vulnerability exists in the admin panel tables for PaymentMethods, Currencies, and Carriers in Shopper versions prior to 2.8.0. The application renders inline toggle controls and per-record action buttons (enable, disable, edit, delete) based on authentication status alone, without verifying that the authenticated user possesses the specific permission required for each action. This is a classic instance of CWE-862 (Missing Authorization). The attack surface is the admin panel's table views for these three critical e-commerce configuration entities. An attacker with any valid panel credentials can manipulate these controls to disable all payment methods (denial of checkout), modify currency settings (pricing integrity loss), or disable shipping carriers. The fix in version 2.8.0 adds proper per-action permission checks before rendering controls and processing requests.
Defensive priority
High
Recommended defensive actions
- Upgrade Shopper to version 2.8.0 or later to remediate the missing authorization checks on PaymentMethods, Currencies, and Carriers admin tables.
- Review and audit all admin panel tables for similar missing authorization patterns, ensuring per-action permissions are enforced before rendering UI controls or processing state-changing requests.
- Implement defense-in-depth by adding server-side authorization checks on all state-changing API endpoints, not relying solely on UI visibility controls.
- Monitor access logs for unusual patterns of bulk disable/enable actions on payment methods, currencies, or carriers by non-administrative users prior to patching.
Evidence notes
The CVE description and NVD record confirm the affected product is Shopper, a Headless e-commerce Admin Panel. The GitHub Security Advisory and pull request provide the fix details. The CVSS vector and CWE classification are sourced from the NVD record.
Official resources
The vulnerability was disclosed via GitHub Security Advisory GHSA-fxqw-97cc-7g5c and fixed in pull request #511. The CVE was published on 2026-05-29T19:16:26.177Z and last modified on 2026-05-29T20:17:38.110Z.