Shopper Framework Authorization Bypass and RBAC Privilege Escalation in Team Settings

union AzureDiagnostics, AppServiceHTTPLogs, W3CIISLog
| where TimeGenerated > ago(24h)
| where requestUri_s has_any ("/shopper/", "/api/teams", "/team-settings", "/roles", "/permissions")
| where httpMethod_s in ("POST", "PUT", "PATCH", "DELETE")
| where httpStatus_s in ("200", "201", "204") or statusCode_d in (200, 201, 204)
| extend UserAgent = coalesce(userAgent_s, csUserAgent_s)
| extend ClientIP = coalesce(clientIp_s, cIP_s)
| extend RequestPath = coalesce(requestUri_s, csUriStem_s)
| where RequestPath matches regex @"/(team[s]?[-_]?setting[s]?|role[s]?|permission[s]?|member[s]?)"
| summarize
    RequestCount = count(),
    DistinctPaths = dcount(RequestPath),
    Methods = make_set(httpMethod_s),
    StatusCodes = make_set(coalesce(httpStatus_s, tostring(statusCode_d)))
    by ClientIP, bin(TimeGenerated, 5m), UserAgent
| where RequestCount > 5 or DistinctPaths > 3
| extend Severity = "Critical"
| extend RuleId = "CVE-2026-47744"
| project TimeGenerated, ClientIP, UserAgent, RequestCount, DistinctPaths, Methods, StatusCodes, Severity, RuleId

index=web OR index=access_logs OR index=iis
| eval RequestPath=coalesce(uri_path, cs_uri_stem, request_path)
| eval ClientIP=coalesce(src_ip, c_ip, clientip)
| eval HTTPMethod=coalesce(http_method, cs_method, method)
| eval StatusCode=coalesce(status, sc_status, http_status_code)
| where match(RequestPath, "(?i)/(teams?[-_]?settings?|roles?|permissions?|members?)")
| where match(RequestPath, "(?i)shopper|/api/")
| where HTTPMethod IN ("POST", "PUT", "PATCH", "DELETE")
| where StatusCode IN ("200", "201", "204")
| bin _time span=5m
| stats
    count AS RequestCount,
    dc(RequestPath) AS DistinctPaths,
    values(HTTPMethod) AS Methods,
    values(StatusCode) AS StatusCodes
    BY ClientIP, _time, http_user_agent
| where RequestCount > 5 OR DistinctPaths > 3
| eval RuleId="CVE-2026-47744"
| eval Severity="Critical"
| table _time, ClientIP, http_user_agent, RequestCount, DistinctPaths, Methods, StatusCodes, RuleId, Severity

sequence by source.ip with maxspan=5m
  [any where
    event.dataset in ("nginx.access", "apache.access", "iis.access") and
    url.path : ("*/teams*", "*/team-settings*", "*/roles*", "*/permissions*", "*/members*") and
    url.path : ("*shopper*", "*/api/*") and
    http.request.method in ("POST", "PUT", "PATCH", "DELETE") and
    http.response.status_code in (200, 201, 204)] with runs=5

SELECT
  sourceip,
  "URL" AS request_path,
  "Method" AS http_method,
  "Response Code" AS status_code,
  COUNT(*) AS request_count,
  UNIQUECOUNT("URL") AS distinct_paths,
  MIN(starttime) AS first_seen,
  MAX(starttime) AS last_seen
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'Microsoft IIS', 'Nginx')
  AND ("URL" ILIKE '%/teams%'
    OR "URL" ILIKE '%/team-settings%'
    OR "URL" ILIKE '%/roles%'
    OR "URL" ILIKE '%/permissions%'
    OR "URL" ILIKE '%/members%')
  AND ("URL" ILIKE '%shopper%' OR "URL" ILIKE '%/api/%')
  AND "Method" IN ('POST', 'PUT', 'PATCH', 'DELETE')
  AND "Response Code" IN ('200', '201', '204')
  AND LOGSOURCETIME(starttime) > NOW() - 1 HOURS
GROUP BY sourceip, "URL", "Method", "Response Code"
HAVING COUNT(*) > 5 OR UNIQUECOUNT("URL") > 3
ORDER BY request_count DESC

_sourceCategory=web/access OR _sourceCategory=iis OR _sourceCategory=nginx
| parse regex "(?P<client_ip>\\d+\\.\\d+\\.\\d+\\.\\d+).+\"(?P<method>POST|PUT|PATCH|DELETE) (?P<path>/[^\" ]+)" nodrop
| parse regex "(?P<status_code>2\\d{2})" nodrop
| where path matches "*shopper*" or path matches "*/api/*"
| where path matches "*/teams*" or path matches "*/team-settings*" or path matches "*/roles*" or path matches "*/permissions*" or path matches "*/members*"
| where status_code in ("200", "201", "204")
| timeslice 5m
| count as RequestCount, count_distinct(path) as DistinctPaths by client_ip, _timeslice, method
| where RequestCount > 5 or DistinctPaths > 3
| sort by RequestCount desc
| fields _timeslice, client_ip, method, RequestCount, DistinctPaths

rule cve_2026_47744_shopper_rbac_bypass {
  meta:
    author = "df00tech"
    description = "Detects exploitation of CVE-2026-47744 Shopper framework RBAC authorization bypass"
    severity = "CRITICAL"
    rule_version = "1.0"
    reference = "https://github.com/shopperlabs/shopper/security/advisories/GHSA-c3qp-2ggw-xjg7"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.network.http.method = /POST|PUT|PATCH|DELETE/
    $e.network.http.response_code >= 200
    $e.network.http.response_code <= 204
    $e.network.http.request_url = /\/?(shopper|api).*\/(teams?[-_]?settings?|roles?|permissions?|members?)/i
    $ip = $e.principal.ip

  match:
    $ip over 5m

  condition:
    #e >= 5
}

#event_simpleName=NetworkConnectIP4 OR #event_simpleName=HttpRequest
| CommandLine = /shopper/i OR HttpPath = /\/(teams?|roles?|permissions?|members?)/i
| HttpMethod IN ["POST", "PUT", "PATCH", "DELETE"]
| HttpStatusCode IN [200, 201, 204]
| groupBy([RemoteAddressIP4, HttpPath, HttpMethod], function=[count(aid, as=RequestCount), min(timestamp, as=FirstSeen), max(timestamp, as=LastSeen)])
| RequestCount > 5
| sort(RequestCount, order=desc)
| select([RemoteAddressIP4, HttpPath, HttpMethod, RequestCount, FirstSeen, LastSeen])