CVE-2026-47744 Elastic Security · Elastic

Detect Shopper Framework Authorization Bypass and RBAC Privilege Escalation in Team Settings in Elastic Security

CVE-2026-47744 is a critical authorization bypass and RBAC privilege escalation vulnerability in the Shopper e-commerce framework (composer package shopper/framework) affecting versions prior to 2.8.0. An authenticated low-privileged user can bypass role-based access controls in team settings to escalate privileges or perform unauthorized administrative actions. A public proof-of-concept exists, making active exploitation likely. CVSS score 9.9.

MITRE ATT&CK

Tactic
Privilege Escalation Persistence

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [any where
    event.dataset in ("nginx.access", "apache.access", "iis.access") and
    url.path : ("*/teams*", "*/team-settings*", "*/roles*", "*/permissions*", "*/members*") and
    url.path : ("*shopper*", "*/api/*") and
    http.request.method in ("POST", "PUT", "PATCH", "DELETE") and
    http.response.status_code in (200, 201, 204)] with runs=5
critical severity medium confidence

Elastic EQL sequence query that detects 5 or more successful mutating HTTP requests to Shopper RBAC management endpoints from the same IP within 5 minutes, indicative of privilege escalation exploitation of CVE-2026-47744.

Data Sources

Nginx Access LogsApache Access LogsIIS Access LogsElastic APM

Required Tables

logs-nginx.access-*logs-apache.access-*logs-iis.access-*

False Positives & Tuning

  • Legitimate bulk role assignment operations by administrators
  • Automated onboarding workflows that assign team permissions
  • Load testing tools generating high-frequency API requests
  • Monitoring agents that poll team settings endpoints

Other platforms for CVE-2026-47744

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Shopper RBAC Bypass — Escalate to Admin via Team Settings API

    Expected signal: HTTP POST to /api/teams/1/members with 200/201 response code from a low-privileged account; database INSERT into team_user or role_user table with admin role association

  2. Test 2Shopper RBAC Bypass — Modify Existing Team Member Role to Admin

    Expected signal: HTTP PATCH to /api/teams/1/members/{id} returning 200 from a non-admin session token; corresponding UPDATE in the role_user or team_user database table

  3. Test 3Shopper RBAC Bypass — Create New Admin Account via Team Invitation

    Expected signal: HTTP POST to /api/teams/1/invitations with admin role returning 200/201 from low-privileged token; invitation record created in database with role=admin; email delivery event to attacker-controlled address

  4. Test 4Shopper RBAC Bypass — Enumerate Team Permissions and Extract Sensitive Data

    Expected signal: Multiple GET requests to admin-restricted endpoints (/api/teams, /api/settings, /api/orders) returning 200 from a recently-escalated non-admin account; unusual access pattern to sensitive data endpoints

Last updated: 2026-06-21 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-47744 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0003Persistence

Related Techniques

T1548Abuse Elevation Control MechanismT1078Valid AccountsT1098Account Manipulation

Same Tactic: Privilege Escalation

Popular Detections