CVE-2026-47740 Overview
CVE-2026-47740 is a broken access control vulnerability [CWE-285] in Shopper, a headless e-commerce admin panel. Versions prior to 2.8.0 expose multiple Filament actions on the Order detail and Order shipments tables to authenticated low-privilege users. Users holding only the read-only read_orders or browse_orders permissions can invoke mutating actions reserved for edit_orders. Affected actions include cancel, mark paid, mark complete, capture payment, archive, start processing, mark delivered, and edit tracking. The capturePayment action can trigger a payment service provider (PSP) capture, moving real funds. The maintainers fixed the issue in version 2.8.0.
Critical Impact
Any authenticated user with read-only order access can alter the lifecycle of every order in the panel and trigger real-world payment captures.
Affected Products
- Shopper headless e-commerce admin panel versions prior to 2.8.0
- Applications integrating Shopper Order detail Filament actions
- Applications integrating Shopper Order shipments table actions
Discovery Timeline
- 2026-05-29 - CVE-2026-47740 published to the National Vulnerability Database
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-47740
Vulnerability Analysis
The vulnerability stems from missing authorization checks on order mutation actions in the Shopper admin panel. Shopper exposes Filament table and detail actions for order management. These actions should require the edit_orders permission before executing state-changing logic.
In versions before 2.8.0, the Order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing accept invocations from any user holding read_orders. Similarly, the Order shipments table actions mark delivered and edit tracking accept invocations from any user holding browse_orders. Both permissions are intended as read-only scopes.
An authenticated low-privilege user can call these actions through the admin panel UI and modify the lifecycle of any order. The capturePayment action is the most consequential because it instructs the configured payment service provider to capture funds, producing a real financial transaction outside the application boundary.
Root Cause
The action handlers do not enforce permission gates aligned with the action semantics. Read-only permissions (read_orders, browse_orders) bypass the edit_orders check that the mutating operations require. This is a classic improper authorization defect mapped to [CWE-285].
Attack Vector
Exploitation requires network access to the admin panel and a valid authenticated session with only read-level order permissions. No user interaction from a privileged user is needed. The attacker triggers the exposed Filament actions directly from the order pages they can already view. See the GitHub Security Advisory GHSA-f946-9qp6-vgch and the fix pull request #511 for technical details.
Detection Methods for CVE-2026-47740
Indicators of Compromise
- Order status transitions (cancelled, paid, complete, archived, processing) performed by accounts whose role is limited to read_orders.
- Shipment records marked delivered or with edited tracking numbers updated by accounts holding only browse_orders.
- Unexpected PSP capture transactions correlating with admin sessions from low-privilege users.
- Audit log entries showing capturePayment invocations outside normal fulfillment workflows.
Detection Strategies
- Compare each order mutation event against the acting user's effective permission set and alert when edit_orders is absent.
- Cross-reference payment capture events from the PSP with the Shopper user that initiated them and flag mismatches against role policy.
- Baseline order state-change volume per user and alert on deviations from low-privilege accounts.
Monitoring Recommendations
- Enable verbose audit logging on all Shopper order and shipment actions, including the acting user identity and permission claims.
- Forward Shopper application logs and PSP webhook events to a centralized log store for correlation.
- Review service accounts and API tokens with read_orders or browse_orders scopes for anomalous activity since installation of the vulnerable release.
How to Mitigate CVE-2026-47740
Immediate Actions Required
- Upgrade Shopper to version 2.8.0 or later on every environment that runs the admin panel.
- Audit the order and shipment audit trail for unauthorized state changes performed by low-privilege accounts.
- Reconcile recent PSP capture transactions against expected fulfillment activity and reverse any unauthorized captures.
- Rotate sessions and revoke API tokens for accounts that held read_orders or browse_orders during the exposure window.
Patch Information
The maintainers fixed the issue in Shopper 2.8.0. The fix adds the required edit_orders authorization checks to the affected Filament actions. See the Shopper pull request #511 for the code changes and the GitHub Security Advisory for vendor guidance.
Workarounds
- If immediate upgrade is not possible, revoke read_orders and browse_orders from any account that should not also receive edit_orders.
- Restrict admin panel access to a trusted network segment or VPN until the patched version is deployed.
- Temporarily disable the capturePayment action in the admin UI by removing it from the order detail action registration.
# Upgrade Shopper to the patched release using Composer
composer require shopper/framework:^2.8.0
php artisan migrate
php artisan optimize:clear
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
