CVE-2026-47740
Deferred Deferred - Pending Action
Privilege Escalation in Shopper Admin Panel

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were callable with the read-only read_orders permission and did not require edit_orders. capturePayment could trigger an actual PSP capture (real funds movement). The order shipments table actions mark delivered and edit tracking were callable with the read-only browse_orders permission. A user with read access to orders could therefore alter the lifecycle of every order in the panel and trigger real-world payment captures. This vulnerability is fixed in 2.8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-47740
EUVD
EUVD-2026-33410
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
shopper shopper to 2.8.0 (inc)
shopperlabs shopper to 2.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated low-privilege users to perform unauthorized mutations on orders, including triggering real payment captures and altering order lifecycle data. Such unauthorized access and modification can lead to breaches of confidentiality and integrity of sensitive customer and payment information.

Because of these impacts, organizations using affected versions of Shopper may face compliance risks with standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and payment data to protect user privacy and ensure data integrity.

Mitigating this vulnerability by upgrading to version 2.8.0 or later is essential to maintain compliance with these regulations by enforcing proper authorization checks and preventing unauthorized data manipulation.

Impact Analysis

This vulnerability can have serious impacts including unauthorized modification of order data and unauthorized triggering of real payment captures, which can lead to financial loss.

An attacker with only read access could alter the lifecycle of every order in the admin panel, such as canceling orders, marking them as paid or complete, or capturing payments without proper authorization.

The CVSS score of 8.1 indicates a high severity, with significant impacts on confidentiality and integrity due to unauthorized data modification and access.

Mitigation Strategies

To mitigate this vulnerability, users are advised to upgrade the Shopper framework to version 2.8.0 or later, where proper authorization checks have been implemented.

This update enforces the required edit_orders permissions on all sensitive Filament actions, preventing low-privilege users from performing unauthorized order mutations or triggering real payment captures.

Executive Summary

CVE-2026-47740 is a high-severity vulnerability in the Shopper e-commerce admin panel versions prior to 2.8.0. It allows authenticated users with low privileges, who normally only have read-only access to orders, to perform unauthorized actions that should require higher permissions. These actions include canceling orders, marking orders as paid or complete, capturing payments, archiving orders, starting order processing, marking shipments as delivered, and editing tracking details.

The root cause is missing authorization checks on multiple Filament actions in the admin panel, which allowed users with only read_orders or browse_orders permissions to mutate orders and trigger real-world payment captures without having the required edit_orders permission.

This vulnerability was fixed in version 2.8.0 by enforcing proper authorization checks requiring edit_orders permissions for these actions.

Detection Guidance

This vulnerability involves unauthorized access to order mutation actions in the Shopper admin panel by authenticated low-privilege users. Detection would focus on identifying unauthorized usage of these actions (such as cancel, mark paid, mark complete, capture payment, archive, start processing, mark delivered, and edit tracking) by users with only read-only permissions.

Since the vulnerability is related to missing authorization checks in the application, network-level detection might be limited. However, monitoring application logs for suspicious activity where users with read-only permissions perform order mutation actions could help detect exploitation attempts.

Suggested commands or approaches include:

  • Review application logs for API calls or admin panel actions related to order mutations performed by users with read-only roles.
  • Use grep or similar tools to search logs for keywords like 'cancel', 'mark paid', 'capturePayment', 'archive', 'start processing', 'mark delivered', or 'edit tracking' associated with low-privilege user accounts.
  • Example command to search logs: grep -iE 'cancel|mark paid|capturePayment|archive|start processing|mark delivered|edit tracking' /path/to/shopper/logs/* | grep 'user_role=read_orders'
  • Audit user permissions and roles in the Shopper admin panel to verify that users with read-only permissions are not performing restricted actions.

Ultimately, upgrading to version 2.8.0 or later is the recommended mitigation to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart