Cyber Resilience

CVE-2026-47744

CriticalUpdated

Published: 29 May 2026

Published
29 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0032 23.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-47744 is a critical-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the…

more

page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including manage_users and edit_orders, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. This vulnerability is fixed in 2.8.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authorization bypass in RBAC/team settings directly enables authenticated privilege escalation to admin.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-285 CWE-269

Documented procedures facilitate correct implementation and ongoing management of authorization decisions.

addresses: CWE-285 CWE-269

Periodic reviews identify and correct flaws in authorization decisions or enforcement.

addresses: CWE-285 CWE-269

Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.

addresses: CWE-285 CWE-269

Ensures authorization decisions are always performed by a complete and analyzable reference monitor.

addresses: CWE-269 CWE-285

By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.

addresses: CWE-269 CWE-285

Implements core proper privilege management by restricting to only required rights.

addresses: CWE-269 CWE-285

Training covers proper privilege management practices, making incorrect privilege assignments less likely.

addresses: CWE-269 CWE-285

Review helps detect improper privilege management by flagging unauthorized privilege changes or uses.

References