CVE-2026-47744
Privilege Escalation in Shopper Admin Panel
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shopperlabs | shopper | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-47744 is a critical authorization bypass and RBAC (Role-Based Access Control) privilege escalation vulnerability in the Shopper framework versions prior to 2.8.0.
The vulnerability arises from two authorization defects in the team settings: first, the Settings/Team/Index page had no proper authorization checks, allowing any authenticated user to load the page and perform actions like creating new roles and deleting other users, including administrators.
Second, the Settings/Team/RolePermission component incorrectly allowed users with only read-only permissions (view_users) to grant themselves or others arbitrary permissions, such as manage_users and edit_orders.
Together, these flaws enable a low-privilege authenticated user to escalate their privileges to full administrator and remove legitimate administrators from the panel.
This vulnerability was fixed in version 2.8.0 of Shopper.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows any authenticated user with low privileges to escalate to full administrative control over the Shopper admin panel.
- Unauthorized creation of roles.
- Deletion of other users, including administrators.
- Granting arbitrary permissions to themselves or others.
- Complete takeover of the RBAC system.
Such control compromises confidentiality, integrity, and availability of the system, potentially leading to data breaches, unauthorized transactions, and disruption of services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this critical authorization bypass and RBAC privilege escalation vulnerability in Shopper versions prior to 2.8.0, you should immediately upgrade the Shopper framework to version 2.8.0 or later.
The upgrade can be performed using the following command:
- `composer require shopper/admin:^2.8`
This update patches the two authorization defects that allow low-privilege authenticated users to escalate to full administrator privileges and remove legitimate administrators.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows any authenticated user to escalate privileges to full administrator level, enabling unauthorized access, modification, and deletion of user roles and data within the Shopper admin panel.
Such unauthorized privilege escalation and potential data manipulation can lead to violations of common compliance standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.
Specifically, the compromise of confidentiality, integrity, and availability of data due to this vulnerability could result in non-compliance with these regulations, exposing organizations to legal and financial risks.