CVE-2026-47744
Shopper: Authorization bypass and RBAC privilege escalation in team settings
描述
## Impact Two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system: - `Settings/Team/Index` had no `mount()` authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. - `Settings/Team/RolePermission` gated its write actions on the read-only `view_users` permission. Any user holding `view_users` could grant themselves or any other user arbitrary permissions, including `manage_users` and `edit_orders`, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. ## Patches Fixed in `v2.8.0`: - `Settings/Team/Index::mount()` now authorizes against `manage_users`. - `Settings/Team/RolePermission` write actions now require `manage_users` instead of `view_users`. Upgrade via: ```bash composer require shopper/admin:^2.8 ``` ## Workarounds None. Upgrade to `v2.8.0`.
如何修補 CVE-2026-47744
要修補 CVE-2026-47744,請將受影響套件升級到下列已修補版本。
- —升級至 2.8.0 或更新版本
CVE-2026-47744 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-47744 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 2.8.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |