Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

CVE-2026-47744: Shopper Headless e-commerce Admin Panel: Unauthorized Admin Access

CVE-2026-47744

Summary

Prior to version 2.8.0, any authenticated user could take over the Shopper Admin Panel, creating new administrator roles and deleting other users, including legitimate administrators. This allowed a low-privilege user to gain full control of the panel. The issue is fixed in version 2.8.0, so update to the latest version to ensure security.

Original title

Original description

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including manage_users and edit_orders, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. This vulnerability is fixed in 2.8.0.

nvd CVSS3.1 9.9

Vulnerability type

CWE-269 Improper Privilege Management

CWE-285 Improper Authorization

https://github.com/shopperlabs/shopper/security/advisories/GHSA-c3qp-2ggw-xjg7

Published: 29 May 2026 · Updated: 31 May 2026 · First seen: 29 May 2026