CVE-2026-47745 Overview
CVE-2026-47745 is a missing authorization vulnerability [CWE-862] in Shopper, a headless e-commerce admin panel. Versions prior to 2.8.0 render inline toggles and per-record actions for PaymentMethods, Currencies, and Carriers tables without verifying per-action permissions. Any authenticated panel user can enable, disable, edit, or delete these records regardless of assigned role. A low-privilege user can disable every payment method, alter the default currency, or disable carriers. The result is a full denial of checkout and loss of pricing integrity across the storefront. The issue is fixed in Shopper 2.8.0.
Critical Impact
Any authenticated user can disable all payment methods, currencies, and carriers, breaking checkout and corrupting pricing data store-wide.
Affected Products
- Shopper headless e-commerce admin panel versions prior to 2.8.0
- Storefronts using Shopper-managed PaymentMethods configuration
- Storefronts using Shopper-managed Currencies and Carriers configuration
Discovery Timeline
- 2026-05-29 - CVE-2026-47745 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-47745
Vulnerability Analysis
The vulnerability stems from improper authorization enforcement in the Shopper admin panel. The framework renders administrative tables for PaymentMethods, Currencies, and Carriers with inline action controls such as enable toggles, disable toggles, edit buttons, and delete buttons. These controls are emitted to any authenticated panel user without checking whether the user holds the corresponding per-action permission for the targeted resource.
When a low-privilege user invokes one of these actions, the backend processes the request without re-validating authorization. An attacker with valid panel credentials can disable every payment method on the store, switch or disable the default currency, or disable all shipping carriers. Each action directly disrupts the checkout flow and corrupts pricing integrity.
The attack requires only network access to the panel and a single low-privilege account, with no user interaction beyond the attacker session.
Root Cause
The root cause is missing authorization [CWE-862] in the admin table rendering and action handler logic. The application conflates authentication with authorization, treating any logged-in session as entitled to administrative inline actions. Per-action permission checks exist in the role model but are not applied at the rendering layer or at the action endpoint for these three resource types.
Attack Vector
An authenticated attacker with any panel role navigates to the admin pages for payment methods, currencies, or carriers. The attacker triggers the inline toggle or per-record action through the panel UI or by replaying the underlying HTTP request. The server executes the state change without verifying permissions. Repeating the action across every record produces a complete denial of checkout.
No verified public proof-of-concept code is available. Technical details are documented in the GitHub Security Advisory GHSA-fxqw-97cc-7g5c and the corresponding GitHub Pull Request 511.
Detection Methods for CVE-2026-47745
Indicators of Compromise
- Unexpected disabled state changes on records in PaymentMethods, Currencies, or Carriers tables
- Audit log entries showing enable, disable, edit, or delete actions performed by non-administrative panel accounts
- Customer reports of checkout failures or missing payment options correlated with admin panel activity
- Modifications to the default currency record originating from low-privilege user sessions
Detection Strategies
- Review application audit logs for state-change events on payment, currency, and carrier resources, filtered by user role
- Compare current configuration of payment methods and carriers against a known-good baseline on a scheduled basis
- Alert on any change to the default currency outside an approved change window
Monitoring Recommendations
- Forward Shopper application and web server logs to a centralized log platform for retention and correlation
- Monitor authentication events for panel accounts and correlate them with subsequent administrative actions
- Track HTTP POST and PATCH requests targeting PaymentMethods, Currencies, and Carriers endpoints by source user
How to Mitigate CVE-2026-47745
Immediate Actions Required
- Upgrade Shopper to version 2.8.0 or later to apply the authorization checks added by the maintainers
- Audit all panel user accounts and remove unused or over-privileged accounts
- Restore configuration baselines for payment methods, currencies, and carriers if tampering is detected
- Rotate credentials for any panel account suspected of unauthorized use
Patch Information
The vulnerability is fixed in Shopper 2.8.0. The fix enforces per-action permission checks at the rendering and handler layers for PaymentMethods, Currencies, and Carriers admin tables. Patch details are available in GitHub Pull Request 511 and the GitHub Security Advisory GHSA-fxqw-97cc-7g5c.
Workarounds
- Restrict panel access at the network layer to trusted administrative IP ranges until the upgrade is applied
- Temporarily revoke panel access for non-administrative users until version 2.8.0 is deployed
- Increase audit log review frequency for the affected resource types as a compensating control
# Upgrade Shopper via Composer to the patched release
composer require shopper/framework:^2.8.0
php artisan migrate
php artisan config:clear
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
