CVE-2026-47740: CWE-285: Improper Authorization in shopperlabs shopper
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were callable with the read-only read_orders permission and did not require edit_orders. capturePayment could trigger an actual PSP capture (real funds movement). The order shipments table actions mark delivered and edit tracking were callable with the read-only browse_orders permission. A user with read access to orders could therefore alter the lifecycle of every order in the panel and trigger real-world payment captures. This vulnerability is fixed in 2.8.0.
AI Analysis
Technical Summary
Shopperlabs' shopper (a Headless e-commerce Admin Panel) versions before 2.8.0 contain an improper authorization vulnerability (CWE-285) where multiple Filament actions on order details and shipments tables can be invoked by users with only read permissions (read_orders or browse_orders) instead of requiring edit_orders permission. This includes critical actions such as cancel, mark paid, mark complete, capture payment, archive, and start processing on orders, as well as marking shipments delivered and editing tracking. The capturePayment action can cause real payment service provider captures, resulting in actual financial transactions. The vulnerability is addressed in version 2.8.0.
Potential Impact
An authenticated user with low privileges and read-only access to orders can perform unauthorized modifications to order statuses and trigger real payment captures, potentially causing financial loss and disruption of order processing. The confidentiality and integrity of order data are compromised, and unauthorized payment captures can lead to unintended fund movements. Availability is not impacted.
Mitigation Recommendations
This vulnerability is fixed in shopper version 2.8.0. Users should upgrade to version 2.8.0 or later to remediate this issue. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated but the fix is available in the specified version. There is no indication that this is a cloud service; therefore, manual upgrade is required.
CVE-2026-47740: CWE-285: Improper Authorization in shopperlabs shopper
Description
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were callable with the read-only read_orders permission and did not require edit_orders. capturePayment could trigger an actual PSP capture (real funds movement). The order shipments table actions mark delivered and edit tracking were callable with the read-only browse_orders permission. A user with read access to orders could therefore alter the lifecycle of every order in the panel and trigger real-world payment captures. This vulnerability is fixed in 2.8.0.
CVSS v3.1
Score 8.1high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Shopperlabs' shopper (a Headless e-commerce Admin Panel) versions before 2.8.0 contain an improper authorization vulnerability (CWE-285) where multiple Filament actions on order details and shipments tables can be invoked by users with only read permissions (read_orders or browse_orders) instead of requiring edit_orders permission. This includes critical actions such as cancel, mark paid, mark complete, capture payment, archive, and start processing on orders, as well as marking shipments delivered and editing tracking. The capturePayment action can cause real payment service provider captures, resulting in actual financial transactions. The vulnerability is addressed in version 2.8.0.
Potential Impact
An authenticated user with low privileges and read-only access to orders can perform unauthorized modifications to order statuses and trigger real payment captures, potentially causing financial loss and disruption of order processing. The confidentiality and integrity of order data are compromised, and unauthorized payment captures can lead to unintended fund movements. Availability is not impacted.
Mitigation Recommendations
This vulnerability is fixed in shopper version 2.8.0. Users should upgrade to version 2.8.0 or later to remediate this issue. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated but the fix is available in the specified version. There is no indication that this is a cloud service; therefore, manual upgrade is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-19T22:16:39.504Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a19dc07e29bf47b50ff85d7
Added to database: 5/29/2026, 6:33:43 PM
Last enriched: 5/29/2026, 7:03:28 PM
Last updated: 5/31/2026, 4:55:52 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.