CVE-2026-47742 - Shopper product Livewire authorization bypass
Shopper framework versions before 2.8.0 allowed authenticated admin-panel
users to call product editor Livewire sub-form store() methods without the
edit_products permission. The affected Edit, Inventory, Seo,
Shipping, and Files components also accepted product identifiers through
public Livewire properties that were not locked, so a lower-privilege user
could tamper with the client-side wire payload and mutate a different product.
The impact is product data integrity loss: pricing, stock, SEO fields, shipping dimensions, and product media can be changed by users who should only have limited panel access. A reviewer-ready fix needs the upstream upgrade plus tests that exercise direct Livewire calls, not only the normal product editor page.
When to use it
Use this recipe when a Laravel Shopper deployment has admin-panel roles that should not be able to edit product data, or when local Livewire product forms override Shopper defaults. It is designed for source-code remediation, object-level authorization review, Livewire property-binding hardening, and evidence that low-privilege panel users cannot mutate products through direct wire requests.
Inputs
shopper/frameworkversion, Composer lock state, product policies, Livewire product components, admin roles/permissions, and generated dependency reports.- Source paths for product
Edit,Inventory,Seo,Shipping,Files, custom product forms, media handlers, policies, routes, and tests. - Regression fixtures for users without
edit_products, authorized editors, tampered product identifiers, locked properties, directstore()calls, and expected403behavior. - Boundary evidence: product ownership, admin role matrix, affected catalog fields, audit logs, rollout owner, and data repair owner.
Affected versions
- Vulnerable package:
shopper/framework <2.8.0 - Fixed package:
shopper/framework 2.8.0 - Affected package manager: Composer
- Affected surfaces: product editor Livewire sub-forms:
Edit,Inventory,Seo,Shipping, andFiles - Required attacker capability: authenticated Shopper panel account without
edit_products - Bug classes: missing authorization and client-side model binding tampering
Indicator-of-exposure
- The repository depends on, vendors, forks, or deploys
shopper/frameworkbefore2.8.0. - The Shopper admin panel is exposed to roles below full product-editing trust, such as support, marketing, catalog reader, fulfillment, auditor, or vendor operator roles.
- Product editor Livewire sub-components expose public
Productor product-id properties without#[Locked]or an equivalent server-side binding guard. store()methods on product sub-forms assume the parent page authorization check already ran and do not re-checkedit_products.- Local code overrides Shopper product forms, product policies, Filament pages, Livewire components, or product media handling.
Quick checks:
rg -n "shopper/framework|shopper/admin|edit_products|Products|Product|Inventory|Seo|Shipping|Files|Livewire|#\\[Locked\\]|public \\$product|public \\$.*product|store\\(" .
composer show shopper/framework shopper/admin
composer why shopper/framework
rg -n "edit_products|#\\[Locked\\]|public \\$product|Product.*store\\(|Inventory.*store\\(|Seo.*store\\(|Shipping.*store\\(|Files.*store\\(" composer.json composer.lock app config resources routes tests vendor . 2>/dev/null
Windows:
rg -n "shopper/framework|shopper/admin|edit_products|Products|Product|Inventory|Seo|Shipping|Files|Livewire|#\\[Locked\\]|public \\$product|public \\$.*product|store\\(" .
composer show shopper/framework shopper/admin
composer why shopper/framework
rg -n "edit_products|#\\[Locked\\]|public \\$product|Product.*store\\(|Inventory.*store\\(|Seo.*store\\(|Shipping.*store\\(|Files.*store\\(" composer.json composer.lock app config resources routes tests vendor .
Do not tamper with production product ids, prices, stock, media, or SEO fields during triage. Use isolated fixtures or local test databases only.
Remediation strategy
- Upgrade every controlled Shopper dependency, Composer lockfile, deployment
image, generated dependency report, and SBOM to
2.8.0+. - Verify product sub-form
store()paths authorizeedit_productsimmediately before mutation. Do not rely only on route, page, or mount authorization. - Lock Livewire product bindings with
#[Locked]or an equivalent server-side lookup keyed by an already-authorized route/model binding. - Add denied-path tests for low-privilege authenticated users that call the Livewire sub-form actions directly and attempt product-id tampering.
- Add allowed-path tests proving users with
edit_productscan still update expected product fields. - Review product change logs during the exposure window if untrusted panel users had access to affected versions.
The prompt
You are remediating CVE-2026-47742 / GHSA-h4mp-g9c6-xwph, a Shopper
product-admin Livewire authorization bypass where product sub-form `store()`
methods can be called by authenticated users without `edit_products`, and
unlocked public product bindings allow client-side target tampering. Produce
exactly one output:
- A reviewer-ready PR/change request that upgrades Shopper, adds per-action
product authorization, locks product bindings, adds safe Livewire regression
tests, refreshes generated artifacts, and documents product-data review, or
- TRIAGE.md if this repository does not control an affected Shopper admin
runtime, dependency, customization, or deployment.
## Rules
- Scope only CVE-2026-47742 / GHSA-h4mp-g9c6-xwph and directly related
Shopper product editor, Livewire binding, and product authorization controls.
- Treat product pricing, inventory, SEO data, shipping dimensions, media,
customer/order data, admin sessions, audit logs, application secrets, and
database credentials as sensitive.
- Do not mutate production products, probe live product ids, upload media to
production, export catalog data, or print sensitive records during validation.
- Do not remove product authorization, audit logging, role checks, or tests to
make the advisory disappear.
- Do not auto-merge.
## Steps
1. Inventory all Shopper references in `composer.json`, `composer.lock`,
package constraints, Dockerfiles, deployment images, generated dependency
reports, SBOMs, admin routes, Livewire components, product policies,
Filament pages, product media handlers, and local forks or overrides.
2. Determine every resolved Shopper version. A target is vulnerable if
`shopper/framework` resolves below `2.8.0`.
3. Search for product editor sub-form code and customizations:
`Edit`, `Inventory`, `Seo`, `Shipping`, `Files`, `store()`,
`edit_products`, `#[Locked]`, public `Product` properties, public product-id
properties, Livewire actions, Filament actions, and product policy gates.
4. If the repository does not deploy Shopper admin product editing code, stop
with `TRIAGE.md` listing checked files, external owner if known, and the
required fixed version.
5. Upgrade affected Shopper packages to `2.8.0+`. Refresh `composer.lock`,
container layers, generated dependency reports, SBOMs, deployment manifests,
and docs that pin or install Shopper.
6. Verify or patch product sub-form authorization:
- every product sub-form `store()` authorizes `edit_products` immediately
before changing product, inventory, SEO, shipping, or media state;
- route, page, or component mount checks do not replace per-action checks;
- denied attempts return a forbidden response and do not partially mutate.
7. Verify or patch Livewire binding hardening:
- product model or id properties that must not be client-rewritten are
`#[Locked]` or resolved server-side from trusted route state;
- tests prove tampered wire payloads cannot retarget another product;
- local overrides follow the same pattern as the fixed upstream release.
8. Add safe regression tests:
- unauthenticated users cannot call product sub-form mutations;
- authenticated users without `edit_products` cannot call `Edit`,
`Inventory`, `Seo`, `Shipping`, or `Files` `store()` paths;
- tampered product identifiers are rejected;
- users with `edit_products` can still make legitimate updates;
- logs and test output omit product secrets, customer/order data, sessions,
and database details.
9. Add a PR body section named `CVE-2026-47742 operator actions` that states:
- Shopper versions before and after;
- whether local product Livewire customizations exist;
- which product sub-forms were verified;
- which roles can edit products after the patch;
- whether suspicious product changes, media uploads, stock edits, or price
changes need review for the exposure window;
- which validation commands passed.
10. Run available validation: Composer install/check-platform-reqs, lockfile
integrity, Laravel/PHP unit and feature tests, Livewire component tests,
static analysis, lint, product-admin smoke tests, dependency/security scans,
SBOM refresh, and deployment rendering.
11. Use PR title:
`fix(sec): remediate CVE-2026-47742 in Shopper products`.
## Stop conditions
- No affected Shopper package, admin panel, product editor, local fork,
deployment image, or product Livewire customization is controlled by this
repository.
- Shopper is owned by another application or platform team; name the owner and
required fixed version in `TRIAGE.md`.
- Upgrading to `2.8.0+` requires a broader Laravel/PHP migration or maintenance
window the agent cannot schedule.
- Verification would require mutating production products, uploading live
media, probing live product ids, or exposing catalog/customer/order data.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades Shopper, adds per-method product authorization, locks product bindings, adds direct Livewire denial tests, and documents catalog/audit review.
- Or a
TRIAGE.mdfile that lists inspected components/policies, owner, observed version, product-edit boundary, required fix, and residual risk. - The output must include exact validation commands and must not mutate real catalog data, expose customer/order data, or weaken product policies.
Verification - what the reviewer looks for
- No controlled Composer lockfile, image, SBOM, generated report, or package
manifest resolves
shopper/framework <2.8.0. - Product sub-form
store()actions requireedit_productsimmediately before mutation. - Product model/id bindings are locked or resolved from trusted server-side state, not accepted from client-controlled wire payloads.
- Regression tests cover direct Livewire action calls, product-id tampering, denied low-privilege paths, and allowed product-editor paths.
- Operator notes cover product price, stock, SEO, shipping, and media review when untrusted panel users had access.
Watch for
- Updating the package but leaving local Livewire overrides on the old unsafe pattern.
- Testing only the product editor page while direct Livewire action calls remain untested.
- Relying on route or mount authorization while
store()performs the actual mutation without a fresh check. - Locking one product property while another public id can still retarget the mutation.
- Logging product fixtures that contain customer/order data or internal pricing details.
Related recipes
- Source code authz tenant boundary audit
- Source code attack surface map
- OWASP Top 10 2026 audit
- SAST finding triage and fix
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-h4mp-g9c6-xwph
- Shopper advisory: https://github.com/shopperlabs/shopper/security/advisories/GHSA-h4mp-g9c6-xwph
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-47742
- Patch pull request: https://github.com/shopperlabs/shopper/pull/511