# [CRIT] [GHSA / CRITICAL] CVE-2026-47744: Shopper: Authorization bypass and RBAC privilege escalation in team settings **Source:** GitHub Security Advisories **Published:** 2026-06-05 **Article:** https://github.com/advisories/GHSA-c3qp-2ggw-xjg7 ## Threat Profile Shopper: Authorization bypass and RBAC privilege escalation in team settings ## Impact Two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system: - `Settings/Team/Index` had no `mount()` authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. - `Settings/Team/RolePermission` gated its write actions on the read-only `view_users` perm… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-47744` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1068** — Exploitation for Privilege Escalation - **T1078.003** — Valid Accounts: Local Accounts ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### HTTP access to Shopper admin team-settings / Livewire endpoints (CVE-2026-47744) `UC_115_1` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.http_method) as http_method values(Web.status) as status values(Web.user) as user values(Web.src) as src_ip values(Web.url) as url from datamodel=Web.Web where (Web.url IN ("*settings/team*","*settings.team.index*","*settings.team.role-permission*","*settings.team.rolePermission*") OR Web.url IN ("*/livewire/update*","*/livewire/message/settings.team*")) by Web.src Web.user Web.url Web.http_method Web.status Web.dest | `drop_dm_object_name(Web)` | where http_method IN ("POST","PUT","PATCH") OR like(url,"%role-permission%") | sort 0 - lastTime ``` **Defender KQL:** ```kql // Requires IIS / nginx access logs ingested to a custom table; M365 Defender XDR does not natively capture inbound HTTP to a self-hosted PHP app. // Pivot via DeviceNetworkEvents for the web server's inbound traffic to the panel's listening port, then triage in the proxy/WAF. DeviceNetworkEvents | where Timestamp > ago(7d) | where LocalPort in (80, 443, 8080, 8443) | where InitiatingProcessFileName in~ ("w3wp.exe","php-fpm.exe","php.exe","nginx.exe","httpd.exe","caddy.exe") | where ActionType == "InboundConnectionAccepted" | summarize Connections = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by DeviceName, LocalIP, LocalPort, RemoteIP, InitiatingProcessFileName | where Connections > 5 | order by LastSeen desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-47744` ## Why this matters Severity classified as **CRIT** based on: CVE present, 2 use case(s) fired, 3 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.