How is CVE-2026-47744 exploited?

Network reachability (required): The attacker must reach the Shopper admin panel over the network (AV:N). Authentication (required): Any low-privilege authenticated panel account is sufficient; even a read-only user holding view_users can trigger the escalation (PR:L). Victim interaction (not-required): No administrator or other user needs to click or approve anything for exploitation (UI:N). Attack complexity (info): Exploitation is reliable and condition-free, requiring only standard panel actions (AC:L).

What is the impact of CVE-2026-47744?

Creates arbitrary roles and grants manage_users, edit_orders, and other administrative permissions to any account. Deletes existing users including legitimate administrators, locking them out of the panel. Reads and modifies customer records, orders, and other data accessible to a full panel administrator. Disrupts availability of the admin panel by removing administrators and reshaping the RBAC configuration.

Back to search

CRITICALCVE-2026-47744Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-47744: Shopper: Authorization bypass and RBAC privilege escalation in team settings

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including manage_users and edit_orders, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. This vulnerability is fixed in 2.8.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Authorization bypass and RBAC privilege escalation in Shopper, a headless e-commerce admin panel, where two flaws in the team settings let any authenticated panel user take over the role-based access control system. The bugs are reachable over the network by anyone with a low-privilege account and require no victim interaction: the Settings/Team/Index page lacks a mount() authorization check, and the Settings/Team/RolePermission writes are gated on the read-only view_users permission. Successful exploitation lets a low-privilege user create roles, grant themselves manage_users and edit_orders, and delete legitimate administrators, taking full control of the panel. The description states a fix landed in 2.8.0; a patched-image rebuild at that version is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against shopperlabs/shopper installs in customer registries and pipelines, including custom-built images that bundle the panel.

Available

Triage

Triage is available with the CVSS 9.9 critical score applied and reweighted against each customer's compliance policy, then routed to the security inbox configured for that org so the right team sees it first.

Available

Patch

A patched-image rebuild at Shopper 2.8.0 is available on HarborGuard for affected environments. For customers who opt into auto-remediation, the rebuild is produced, regression-tested, and a PR is opened against the workloads that reference the affected image.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Shopper admin panel over the network (AV:N).
AuthenticationRequired
Any low-privilege authenticated panel account is sufficient; even a read-only user holding view_users can trigger the escalation (PR:L).
Victim interactionNot required
No administrator or other user needs to click or approve anything for exploitation (UI:N).
Attack complexityDetail
Exploitation is reliable and condition-free, requiring only standard panel actions (AC:L).

Blast Radius

Creates arbitrary roles and grants manage_users, edit_orders, and other administrative permissions to any account.
Deletes existing users including legitimate administrators, locking them out of the panel.
Reads and modifies customer records, orders, and other data accessible to a full panel administrator.
Disrupts availability of the admin panel by removing administrators and reshaping the RBAC configuration.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at Shopper 2.8.0 for environments running an affected version. For customers with auto-remediation enabled, the rebuild is produced, regression-tested, and a PR is opened against workloads referencing the affected image; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in those environments. Where compliance policy requires manual approval, the patched image is staged and the triage ticket is routed to the configured security inbox with the 2.8.0 upgrade pre-validated.

See how HarborGuard automates this

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

shopperlabs / shopper
< 2.8.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

https://github.com/shopperlabs/shopper/security/advisories/GHSA-c3qp-2ggw-xjg7