Authorization Defects in Shopper E-commerce Admin Panel
CVE-2026-47744

9.9CRITICAL

Key Information:

Vendor: Shopperlabs
Status: Shopper
Vendor: CVE Published:; 29 May 2026

🔔 Create Shopperlabs Vulnerability Alert

What is CVE-2026-47744?

The Shopper Admin Panel has two significant authorization flaws prior to version 2.8.0, which could be exploited by authenticated users. An unauthorized user could access the Settings/Team/Index page, which lacks proper mount() authorization, allowing them to create roles or delete other users, including administrators. Additionally, write actions on the role permissions are improperly gated, enabling users with view_users permission to grant themselves or others arbitrary powers such as manage_users or edit_orders. This vulnerability severely compromises the integrity of the RBAC system and can lead to unauthorized administrative access.

Affected Version(s)

shopper < 2.8.0

References

https://github.com/shopperlabs/shopper/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 19, 2026

CVE-2026-47744 Data

JSON