CVE-2026-47744
Published: 29 May 2026
Summary
CVE-2026-47744 is a critical-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-33407
Vulnerability details
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the…
more
page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including manage_users and edit_orders, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. This vulnerability is fixed in 2.8.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in RBAC/team settings directly enables authenticated privilege escalation to admin.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Documented procedures facilitate correct implementation and ongoing management of authorization decisions.
Periodic reviews identify and correct flaws in authorization decisions or enforcement.
Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.
Ensures authorization decisions are always performed by a complete and analyzable reference monitor.
By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
Implements core proper privilege management by restricting to only required rights.
Training covers proper privilege management practices, making incorrect privilege assignments less likely.
Review helps detect improper privilege management by flagging unauthorized privilege changes or uses.