How is CVE-2026-47740 exploited?

Network reachability (required): The attacker must reach the Shopper admin panel over the network (AV:N). Authentication (required): Any low-privilege authenticated account with read_orders or browse_orders is sufficient (PR:L). Victim interaction (not-required): No victim action is needed; the attacker invokes the Livewire actions directly (UI:N). Attack complexity (info): Attack complexity is low: the vulnerable actions are reliably callable without environmental preconditions (AC:L).

What is the impact of CVE-2026-47740?

Alters the lifecycle of any order in the panel by invoking cancel, mark paid, mark complete, archive, or start processing. Triggers a real payment capture through the configured PSP via capturePayment, causing actual funds movement. Modifies shipment state through mark delivered and edit tracking, corrupting fulfillment records. Reads order detail data exposed through the same admin views, disclosing customer order contents.

Back to search

HIGHCVE-2026-47740Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-47740: Shopper: Authorization bypass in multiple Livewire admin components

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were callable with the read-only read_orders permission and did not require edit_orders. capturePayment could trigger an actual PSP capture (real funds movement). The order shipments table actions mark delivered and edit tracking were callable with the read-only browse_orders permission. A user with read access to orders could therefore alter the lifecycle of every order in the panel and trigger real-world payment captures. This vulnerability is fixed in 2.8.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Authorization bypass in multiple Livewire admin components of Shopper, a headless e-commerce admin panel. The flaw is reachable over the network by any authenticated low-privilege user with read-only order permissions, who can then invoke order mutation actions (cancel, mark paid, mark complete, capture payment, archive, start processing, mark delivered, edit tracking) that should require edit_orders. Successful exploitation lets a read-only user alter the lifecycle of every order and trigger real payment captures against the configured PSP. A patched-image rebuild at Shopper 2.8.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against Shopper versions in customer registries, CI pipelines, and custom-built images. Images bundling shopperlabs/shopper at versions below 2.8.0 are flagged on the next scan cycle.

Available

Triage

Triage is available with the published CVSS 3.1 score of 8.1 (HIGH) weighted against each customer's compliance policy, so environments that treat order tampering or payment-system exposure as elevated risk see the finding escalated. Findings route into the appropriate inbox inside each customer org based on image ownership and workload tags.

Available

Patch

A patched-image rebuild at Shopper 2.8.0 becomes available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, the rebuild runs through regression tests and a pull request is opened against the affected workloads with the version bump.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Shopper admin panel over the network (AV:N).
AuthenticationRequired
Any low-privilege authenticated account with read_orders or browse_orders is sufficient (PR:L).
Victim interactionNot required
No victim action is needed; the attacker invokes the Livewire actions directly (UI:N).
Attack complexityDetail
Attack complexity is low: the vulnerable actions are reliably callable without environmental preconditions (AC:L).

Blast Radius

Alters the lifecycle of any order in the panel by invoking cancel, mark paid, mark complete, archive, or start processing.
Triggers a real payment capture through the configured PSP via capturePayment, causing actual funds movement.
Modifies shipment state through mark delivered and edit tracking, corrupting fulfillment records.
Reads order detail data exposed through the same admin views, disclosing customer order contents.

How HarborGuard Handles This

Available on HarborGuard: scans flag any image containing shopperlabs/shopper below 2.8.0, and a patched-image rebuild at 2.8.0 is offered for affected environments. For customers with auto-remediation enabled, the rebuild is regression-tested and a PR is opened against the affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Until the bump lands, operators should consider restricting admin panel network exposure and auditing which accounts hold read_orders or browse_orders, since any such account can currently mutate orders and trigger PSP captures.

See how HarborGuard automates this

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

shopperlabs / shopper
< 2.8.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References