Skip to main content

Shopper CVE-2026-47740

| EUVDEUVD-2026-33410 HIGH
Improper Authorization (CWE-285)
2026-05-29 GitHub_M GHSA-f946-9qp6-vgch
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
May 29, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 29, 2026 - 18:54 vuln.today
Analysis Generated
May 29, 2026 - 18:54 vuln.today

DescriptionGitHub Advisory

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were callable with the read-only read_orders permission and did not require edit_orders. capturePayment could trigger an actual PSP capture (real funds movement). The order shipments table actions mark delivered and edit tracking were callable with the read-only browse_orders permission. A user with read access to orders could therefore alter the lifecycle of every order in the panel and trigger real-world payment captures. This vulnerability is fixed in 2.8.0.

AnalysisAI

Authorization bypass in Shopperlabs Shopper headless e-commerce admin panel prior to 2.8.0 allows authenticated low-privilege users with read-only order permissions to mutate every order in the panel and trigger real Payment Service Provider captures via Filament admin actions. The flaw spans multiple Livewire components beyond orders - including product sub-forms, team settings, and RBAC management - enabling privilege escalation up to role creation and user deletion. No public exploit identified at time of analysis, but a detailed GitHub Security Advisory and patch diff are public.

Technical ContextAI

Shopper is a Laravel/Filament-based headless e-commerce admin package (composer/shopper/framework) that uses Livewire components for interactive admin panels. The root cause is CWE-285 Improper Authorization (and CWE-862 Missing Authorization per the GHSA): Filament action callbacks and Livewire component store()/mount() methods did not invoke $this->authorize() against the correct ability, instead gating mutating operations on read-only permissions like read_orders, browse_orders, view_users, or no permission at all. Additionally, public Eloquent model properties on Livewire components were not annotated with the #[Locked] attribute, allowing clients to tamper with bound IDs and operate on records they should not access - the patch adds #[Locked] across Customer, Order, and Product components alongside explicit authorize() calls. A separate stored XSS via DNS1DFacade::getBarcodeHTML() rendered with {!! !!} on the product barcode field is also fixed in 2.8.0.

RemediationAI

Vendor-released patch: 2.8.0 - upgrade by running composer require shopper/admin:^2.8 shopper/cart:^2.8 shopper/core:^2.8 followed by php artisan migrate, per the GHSA-f946-9qp6-vgch advisory. The vendor explicitly states no workarounds exist; if an immediate upgrade is not possible, compensating controls include temporarily revoking all non-administrative roles (read_orders, browse_orders, view_users, and any custom roles missing edit_* abilities) so only fully trusted admins can reach the panel - accepting the operational cost that support and fulfillment staff lose admin access - and disabling external network access to the /admin (or configured Shopper) route via reverse-proxy IP allowlists to limit exposure to known operator workstations. Monitor PSP logs for unexpected capture events and Laravel audit logs for unauthorized cancel/mark-paid/mark-delivered actions until the upgrade lands. Review the patch commit fcd0c5920588702df5b874f432b1042abd77a50b and PR #511 (https://github.com/shopperlabs/shopper/pull/511) to confirm coverage of any locally forked components.

Share

CVE-2026-47740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy