Detect Shopper Framework Authorization Bypass and RBAC Privilege Escalation in Team Settings in Microsoft Sentinel
CVE-2026-47744 is a critical authorization bypass and RBAC privilege escalation vulnerability in the Shopper e-commerce framework (composer package shopper/framework) affecting versions prior to 2.8.0. An authenticated low-privileged user can bypass role-based access controls in team settings to escalate privileges or perform unauthorized administrative actions. A public proof-of-concept exists, making active exploitation likely. CVSS score 9.9.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
KQL Detection Query
union AzureDiagnostics, AppServiceHTTPLogs, W3CIISLog
| where TimeGenerated > ago(24h)
| where requestUri_s has_any ("/shopper/", "/api/teams", "/team-settings", "/roles", "/permissions")
| where httpMethod_s in ("POST", "PUT", "PATCH", "DELETE")
| where httpStatus_s in ("200", "201", "204") or statusCode_d in (200, 201, 204)
| extend UserAgent = coalesce(userAgent_s, csUserAgent_s)
| extend ClientIP = coalesce(clientIp_s, cIP_s)
| extend RequestPath = coalesce(requestUri_s, csUriStem_s)
| where RequestPath matches regex @"/(team[s]?[-_]?setting[s]?|role[s]?|permission[s]?|member[s]?)"
| summarize
RequestCount = count(),
DistinctPaths = dcount(RequestPath),
Methods = make_set(httpMethod_s),
StatusCodes = make_set(coalesce(httpStatus_s, tostring(statusCode_d)))
by ClientIP, bin(TimeGenerated, 5m), UserAgent
| where RequestCount > 5 or DistinctPaths > 3
| extend Severity = "Critical"
| extend RuleId = "CVE-2026-47744"
| project TimeGenerated, ClientIP, UserAgent, RequestCount, DistinctPaths, Methods, StatusCodes, Severity, RuleIdDetects repeated successful HTTP requests to Shopper framework team settings, roles, and permissions endpoints that may indicate exploitation of the RBAC authorization bypass (CVE-2026-47744). Looks for high-frequency access to sensitive team management paths returning success status codes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrators performing bulk team management operations
- Automated provisioning scripts that configure team roles at deployment time
- Security scanners or penetration testing tools performing authorized assessments
- CI/CD pipelines that update team permissions as part of deployment workflows
Other platforms for CVE-2026-47744
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Shopper RBAC Bypass — Escalate to Admin via Team Settings API
Expected signal: HTTP POST to /api/teams/1/members with 200/201 response code from a low-privileged account; database INSERT into team_user or role_user table with admin role association
- Test 2Shopper RBAC Bypass — Modify Existing Team Member Role to Admin
Expected signal: HTTP PATCH to /api/teams/1/members/{id} returning 200 from a non-admin session token; corresponding UPDATE in the role_user or team_user database table
- Test 3Shopper RBAC Bypass — Create New Admin Account via Team Invitation
Expected signal: HTTP POST to /api/teams/1/invitations with admin role returning 200/201 from low-privileged token; invitation record created in database with role=admin; email delivery event to attacker-controlled address
- Test 4Shopper RBAC Bypass — Enumerate Team Permissions and Extract Sensitive Data
Expected signal: Multiple GET requests to admin-restricted endpoints (/api/teams, /api/settings, /api/orders) returning 200 from a recently-escalated non-admin account; unusual access pattern to sensitive data endpoints
Unlock Pro Content
Get the full detection package for CVE-2026-47744 including response playbook, investigation guide, and atomic red team tests.