Skip to content

Commit dcad0d2

Browse files
1 parent 7605c07 commit dcad0d2

1 file changed

Lines changed: 66 additions & 0 deletions

File tree

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-c3qp-2ggw-xjg7",
4+
"modified": "2026-06-05T20:35:51Z",
5+
"published": "2026-06-05T20:35:51Z",
6+
"aliases": [
7+
"CVE-2026-47744"
8+
],
9+
"summary": "Shopper: Authorization bypass and RBAC privilege escalation in team settings",
10+
"details": "## Impact\n\nTwo distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system:\n\n- `Settings/Team/Index` had no `mount()` authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators.\n- `Settings/Team/RolePermission` gated its write actions on the read-only `view_users` permission. Any user holding `view_users` could grant themselves or any other user arbitrary permissions, including `manage_users` and `edit_orders`, effectively escalating to full panel administrator from a read-only account.\n\nCombined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel.\n\n## Patches\n\nFixed in `v2.8.0`:\n\n- `Settings/Team/Index::mount()` now authorizes against `manage_users`.\n- `Settings/Team/RolePermission` write actions now require `manage_users` instead of `view_users`.\n\nUpgrade via:\n\n```bash\ncomposer require shopper/admin:^2.8\n```\n\n## Workarounds\n\nNone. Upgrade to `v2.8.0`.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "shopper/framework"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.8.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/shopperlabs/shopper/security/advisories/GHSA-c3qp-2ggw-xjg7"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47744"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/shopperlabs/shopper/pull/511"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/shopperlabs/shopper"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-269",
59+
"CWE-285"
60+
],
61+
"severity": "CRITICAL",
62+
"github_reviewed": true,
63+
"github_reviewed_at": "2026-06-05T20:35:51Z",
64+
"nvd_published_at": "2026-05-29T19:16:26Z"
65+
}
66+
}

0 commit comments

Comments
 (0)