CVE-2026-47744 Overview
CVE-2026-47744 is a privilege escalation vulnerability in Shopper, a headless e-commerce admin panel. The flaw resides in the team settings module and combines two distinct authorization defects. Any authenticated panel user can take over the role-based access control (RBAC) system, create new roles, delete administrators, and grant themselves arbitrary permissions including manage_users and edit_orders. The vulnerability affects all versions prior to 2.8.0 and is tracked under [CWE-269: Improper Privilege Management]. Maintainers fixed the issue in Shopper 2.8.0.
Critical Impact
A low-privilege authenticated user can escalate to full administrator and remove legitimate administrators from the panel.
Affected Products
- Shopper headless e-commerce admin panel versions prior to 2.8.0
- Settings/Team/Index Livewire component
- Settings/Team/RolePermission Livewire component
Discovery Timeline
- 2026-05-29 - CVE-2026-47744 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-47744
Vulnerability Analysis
The vulnerability stems from two independent authorization failures in Shopper's team settings module. The first defect affects Settings/Team/Index, which lacks a mount() authorization check. Any authenticated user can load the page and invoke its public actions to create new roles and delete existing users, including administrators.
The second defect affects Settings/Team/RolePermission. This component gates its write actions on the view_users permission, which is intended as a read-only capability. Holders of view_users can therefore grant arbitrary permissions to themselves or any other user, including manage_users and edit_orders.
Chained together, the two defects let a low-privilege authenticated account escalate to full administrator and then remove legitimate administrators from the panel, achieving complete tenant takeover.
Root Cause
The root cause is improper privilege management [CWE-269]. The Settings/Team/Index component never enforces authorization on entry, while Settings/Team/RolePermission validates write operations against a read-only permission. Both defects reflect a missing separation between read and write authorization scopes in the RBAC layer.
Attack Vector
Exploitation requires only an authenticated session on the panel. The attacker navigates to the team settings interface or invokes its Livewire actions directly. From there, the attacker either calls the unguarded role and user actions on Settings/Team/Index, or, if holding view_users, mutates role permissions through Settings/Team/RolePermission. No user interaction from victims is needed and the scope changes because the attacker assumes administrator authority over the entire panel.
No public exploitation code is available. See the GitHub Security Advisory for additional technical detail.
Detection Methods for CVE-2026-47744
Indicators of Compromise
- Unexpected role creation events originating from non-administrator accounts in Shopper audit logs.
- Deletion of administrator user records performed by accounts without manage_users.
- Permission grants of manage_users, edit_orders, or similar high-privilege scopes assigned by accounts holding only view_users.
- HTTP requests to Livewire endpoints handling Settings/Team/Index or Settings/Team/RolePermission from low-privilege sessions.
Detection Strategies
- Audit Shopper application logs for role and permission mutations and correlate the acting user against expected administrator accounts.
- Alert on any sequence where a single session creates a role, modifies permissions, and removes another user within a short window.
- Baseline normal Livewire component traffic and flag access to team settings components by accounts that historically lack administrative function.
Monitoring Recommendations
- Enable database-level auditing on Shopper's roles, permissions, and users tables to capture mutations outside the application logs.
- Forward web server and application logs to a centralized analytics platform for cross-session correlation.
- Periodically reconcile the administrator user list against a known-good roster and alert on drift.
How to Mitigate CVE-2026-47744
Immediate Actions Required
- Upgrade Shopper to version 2.8.0 or later on all environments running the admin panel.
- Review existing user and role assignments and revoke any unexpected administrator permissions added since deployment.
- Rotate credentials and session tokens for any accounts that hold or held view_users during the vulnerable window.
- Inspect audit logs for role creation, permission grants, and user deletions consistent with the exploitation pattern.
Patch Information
The maintainers fixed both authorization defects in Shopper 2.8.0. The patch adds a mount() authorization check to Settings/Team/Index and binds write operations in Settings/Team/RolePermission to write-scoped permissions instead of view_users. See the GitHub Security Advisory GHSA-c3qp-2ggw-xjg7 for the official remediation guidance.
Workarounds
- Restrict access to the Shopper admin panel to trusted network segments using a reverse proxy or VPN until the upgrade is applied.
- Temporarily revoke the view_users permission from all non-administrator accounts to prevent escalation through Settings/Team/RolePermission.
- Disable self-service account provisioning so attackers cannot create authenticated identities to exploit the flaw.
# Upgrade Shopper to the patched release
composer require shopper/framework:^2.8.0
php artisan migrate
php artisan view:clear
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
