Description
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including manage_users and edit_orders, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. This vulnerability is fixed in 2.8.0.
Published: 2026-05-29
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Shopper, a headless e‑commerce admin panel, contains two authorization defects in its team settings that allow an authenticated user to seize control of the RBAC system. The Settings/Team/Index endpoint omits mount() authorization, enabling any authenticated user to load the page and use its public actions to create new roles and delete users, including administrators. Simultaneously, write actions on Settings/Team/RolePermission are only gated by the read‑only view_users permission, allowing any user with view_users to grant themselves or others arbitrary permissions such as manage_users or edit_orders, effectively elevating a low‑privileged account to full panel administrator. Together, these flaws let a non‑admin user acquire administrative rights and delete legitimate administrators, compromising the entire administrator control plane.

Affected Systems

The product is Shopper by ShopperLabs. All Shopper releases prior to version 2.8.0 are affected; the advisory states that the vulnerability is fixed in 2.8.0, but no further patch level or build numbers are specified.

Risk and Exploitability

The vulnerability is rated CVSS 9.9, indicating critical severity. EPSS data is not available, and the issue is not listed in CISA KEV. The exploitation vector requires a valid authenticated session with low privileges; no external exploitation or elevated privileges are necessary beyond normal user access. Once compromised, the attacker can remove all existing administrators and retain full control, presenting a high risk of discovery and exploitation.

Generated by OpenCVE AI on May 29, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Shopper to version 2.8.0 or later to apply the vendor’s fix.
  • Immediately delete or disable any user accounts that have been granted administrative privileges or show suspicious activity.
  • Re‑configure RBAC policies so that only users with explicit permission can create, modify, or delete roles, and remove the view_users permission from general user groups.

Generated by OpenCVE AI on May 29, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c3qp-2ggw-xjg7 Shopper: Authorization bypass and RBAC privilege escalation in team settings
History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Shopperlabs
Shopperlabs shopper
Vendors & Products Shopperlabs
Shopperlabs shopper

Fri, 29 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including manage_users and edit_orders, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. This vulnerability is fixed in 2.8.0.
Title Shopper: Authorization bypass and RBAC privilege escalation in team settings
Weaknesses CWE-269
CWE-285
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Shopperlabs Shopper
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T21:38:15.231Z

Reserved: 2026-05-19T22:16:39.504Z

Link: CVE-2026-47744

cve-icon Vulnrichment

Updated: 2026-05-29T21:38:11.856Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T19:16:26.037

Modified: 2026-05-29T20:17:38.110

Link: CVE-2026-47744

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:18:09Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-285

    Improper Authorization