CVE-2026-47745
Shopper Admin Panel Permission Bypass in Payment Methods, Currencies, and Carriers
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shopperlabs | shopper | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-47745 is a vulnerability in the Shopper Headless e-commerce Admin Panel affecting versions prior to 2.8.0. The issue is that the admin tables for PaymentMethods, Currencies, and Carriers allowed any authenticated user to perform actions such as enabling, disabling, editing, or deleting records without proper per-action permission checks.
This means that low-privilege users could manipulate critical settings like disabling all payment methods, changing the default currency, or disabling carriers, which should normally require higher privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any authenticated user to disable payment methods, alter default currency, or disable carriers without proper authorization, leading to denial of checkout and pricing integrity loss.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the integrity and availability issues caused by this vulnerability could indirectly impact compliance by disrupting business operations and potentially affecting financial transaction integrity.
However, there is no direct information provided about how this vulnerability affects compliance with specific regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
The vulnerability can lead to a full denial of checkout functionality and loss of pricing integrity on the e-commerce store.
- A low-privilege user could disable every payment method, effectively blocking all customer checkouts.
- They could alter the default currency, causing pricing disruptions.
- They could disable carriers, breaking shipping calculations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing per-action authorization checks in the Shopper admin panel, allowing any authenticated user to perform actions like enabling, disabling, editing, or deleting PaymentMethods, Currencies, and Carriers without proper permissions.
Detection would involve verifying if low-privilege authenticated users can perform these actions on the admin tables without proper authorization.
Since this is an application-level authorization issue, network-level detection commands are not directly applicable.
A practical approach is to test the application by logging in as a low-privilege user and attempting to perform enable, disable, edit, or delete actions on PaymentMethods, Currencies, and Carriers in the admin panel.
No specific command-line commands are provided in the available resources for automated detection.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Shopper e-commerce framework to version 2.8.0 or later, where this vulnerability is fixed.
The upgrade can be performed using the command: `composer require shopper/admin:^2.8`.
Until the upgrade is applied, restrict access to the admin panel to trusted users only and review user permissions to minimize the risk.