CVE-2026-47740
Privilege Escalation in Shopper Admin Panel
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shopper | shopper | to 2.8.0 (inc) |
| shopperlabs | shopper | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized modification of order data and unauthorized triggering of real payment captures, which can lead to financial loss.
An attacker with only read access could alter the lifecycle of every order in the admin panel, such as canceling orders, marking them as paid or complete, or capturing payments without proper authorization.
The CVSS score of 8.1 indicates a high severity, with significant impacts on confidentiality and integrity due to unauthorized data modification and access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are advised to upgrade the Shopper framework to version 2.8.0 or later, where proper authorization checks have been implemented.
This update enforces the required edit_orders permissions on all sensitive Filament actions, preventing low-privilege users from performing unauthorized order mutations or triggering real payment captures.
Can you explain this vulnerability to me?
CVE-2026-47740 is a high-severity vulnerability in the Shopper e-commerce admin panel versions prior to 2.8.0. It allows authenticated users with low privileges, who normally only have read-only access to orders, to perform unauthorized actions that should require higher permissions. These actions include canceling orders, marking orders as paid or complete, capturing payments, archiving orders, starting order processing, marking shipments as delivered, and editing tracking details.
The root cause is missing authorization checks on multiple Filament actions in the admin panel, which allowed users with only read_orders or browse_orders permissions to mutate orders and trigger real-world payment captures without having the required edit_orders permission.
This vulnerability was fixed in version 2.8.0 by enforcing proper authorization checks requiring edit_orders permissions for these actions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated low-privilege users to perform unauthorized mutations on orders, including triggering real payment captures and altering order lifecycle data. Such unauthorized access and modification can lead to breaches of confidentiality and integrity of sensitive customer and payment information.
Because of these impacts, organizations using affected versions of Shopper may face compliance risks with standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and payment data to protect user privacy and ensure data integrity.
Mitigating this vulnerability by upgrading to version 2.8.0 or later is essential to maintain compliance with these regulations by enforcing proper authorization checks and preventing unauthorized data manipulation.