CVE-2026-47745: Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables
The admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could:
- Disable every payment method on the store, blocking checkout.
- Disable or alter the default currency, changing displayed prices and the exchange rate basis.
- Disable carriers, breaking shipping rate computation at checkout.
The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-47745 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →