CVE-2026-47744
Deferred Deferred - Pending Action
Privilege Escalation in Shopper Admin Panel

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including manage_users and edit_orders, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. This vulnerability is fixed in 2.8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2026-47744
EUVD
EUVD-2026-33407
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shopperlabs shopper to 2.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows any authenticated user to escalate privileges to full administrator level, enabling unauthorized access, modification, and deletion of user roles and data within the Shopper admin panel.

Such unauthorized privilege escalation and potential data manipulation can lead to violations of common compliance standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Specifically, the compromise of confidentiality, integrity, and availability of data due to this vulnerability could result in non-compliance with these regulations, exposing organizations to legal and financial risks.

Executive Summary

CVE-2026-47744 is a critical authorization bypass and RBAC (Role-Based Access Control) privilege escalation vulnerability in the Shopper framework versions prior to 2.8.0.

The vulnerability arises from two authorization defects in the team settings: first, the Settings/Team/Index page had no proper authorization checks, allowing any authenticated user to load the page and perform actions like creating new roles and deleting other users, including administrators.

Second, the Settings/Team/RolePermission component incorrectly allowed users with only read-only permissions (view_users) to grant themselves or others arbitrary permissions, such as manage_users and edit_orders.

Together, these flaws enable a low-privilege authenticated user to escalate their privileges to full administrator and remove legitimate administrators from the panel.

This vulnerability was fixed in version 2.8.0 of Shopper.

Impact Analysis

This vulnerability can have severe impacts as it allows any authenticated user with low privileges to escalate to full administrative control over the Shopper admin panel.

  • Unauthorized creation of roles.
  • Deletion of other users, including administrators.
  • Granting arbitrary permissions to themselves or others.
  • Complete takeover of the RBAC system.

Such control compromises confidentiality, integrity, and availability of the system, potentially leading to data breaches, unauthorized transactions, and disruption of services.

Mitigation Strategies

To mitigate this critical authorization bypass and RBAC privilege escalation vulnerability in Shopper versions prior to 2.8.0, you should immediately upgrade the Shopper framework to version 2.8.0 or later.

The upgrade can be performed using the following command:

  • `composer require shopper/admin:^2.8`

This update patches the two authorization defects that allow low-privilege authenticated users to escalate to full administrator privileges and remove legitimate administrators.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47744. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart