CVE-2026-47741: Shopper Discount Over-Redemption Race Condition (MEDIUM)
Shopper, a headless e-commerce admin panel, had a race condition in its checkout process that allowed customers to bypass discount usage limits during high-concurrency periods like Black Friday or flash sales. The system would apply a discount to an order and save it to the database before verifying whether that discount had already been used up. If multiple customers checked out simultaneously with the same coupon, the system would grant the discount to all of them even after the coupon's limit was exceeded, because the counter-increment happened too late in the process. Merchants would not receive any warning that over-redemption had occurred, leading to undetected revenue loss.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-362
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's total_use counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global usage_limit was silently exceeded: orders were committed with the discount fully applied to price_amount while the counter blocked at usage_limit. The merchant had no signal that an over-redemption had occurred. This vulnerability is fixed in 2.8.0.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in CreateOrderFromCartAction::execute, which commits the Order row with the discount applied before atomically checking and incrementing the discount's total_use counter. This race condition manifests under concurrent load: Thread A and Thread B both read usage_limit=100 and current counter at 99, both proceed to create orders with the discount applied, and both attempt to increment the counter. Due to the order of operations, both succeed in writing orders while the counter atomically increments to 101, exceeding the limit. The absence of a pre-check or transactional guard between discount validation and order persistence allows silent over-redemption.
Business impact
Undetected coupon over-redemption directly erodes profit margins on high-traffic sales events. A single flash sale or viral coupon campaign can result in hundreds or thousands of discounts applied beyond the planned usage cap, with no audit trail or immediate notification to the merchant. This creates reconciliation friction and trust issues with finance teams, and potential customer service disputes if merchants attempt retroactive chargebacks or order cancellations.
Affected systems
Shopper versions prior to 2.8.0 are vulnerable. The exact scope of deployed instances is unknown, but any Shopper installation used in e-commerce operations with concurrent checkout traffic and discount campaigns is at risk.
Exploitability
Exploitation does not require authentication, special privileges, or user interaction—it occurs naturally during normal concurrent checkout under promotional pressure. An attacker need not craft a special payload; the race condition triggers organically when multiple legitimate customers attempt to redeem the same limited-use discount simultaneously. The requirement for concurrent timing (AC:H in CVSS) means exploitation is not trivial to orchestrate deliberately, but it will occur reliably during organic traffic spikes. No public exploit code is known to exist.
Remediation
Upgrade Shopper to version 2.8.0 or later, which fixes the race condition by ensuring the discount counter is checked and incremented atomically before the Order is committed. Organizations unable to upgrade immediately should consider temporarily disabling high-traffic coupon campaigns or implementing manual monitoring of discount redemption logs to detect over-redemption.
Patch guidance
Apply Shopper 2.8.0 or later. Verify the version in your deployment; the fix changes the transaction scope of CreateOrderFromCartAction::execute to include the counter increment before order persistence. No configuration changes or data migration are required post-patch. Test the patch in a staging environment under simulated concurrent load before production deployment to confirm the race condition is eliminated.
Detection guidance
Review order and discount logs for the period before upgrading. Cross-reference order timestamps and applied discounts against the discount's declared usage_limit; if the number of orders exceeding the limit correlates with high-traffic periods, over-redemption likely occurred. Monitor application logs for any concurrent transaction conflicts or counter-lock timeouts during checkout. Post-patch, establish ongoing reconciliation checks comparing applied discount counts to configured limits on a per-coupon basis.
Why prioritize this
Although the CVSS score is MEDIUM (5.9), the business impact is material and the exploitability is high in real-world e-commerce conditions. Any organization running Shopper with active discount campaigns should prioritize the upgrade to 2.8.0. The vulnerability directly manifests during peak revenue events (Black Friday, flash sales), making delayed patching a compounding financial risk.
Risk score, explained
CVSS 5.9 reflects confidentiality impact of None, integrity impact of High (discounts are applied incorrectly), and availability impact of None. The network-accessible vector (AV:N) and lack of authentication (PR:N, UI:N) are offset by the requirement for concurrent timing (AC:H), which lowers severity from HIGH to MEDIUM. However, the integrity issue is material: merchants' revenue controls are compromised.
Frequently asked questions
Can we detect if our Shopper instance was exploited before we upgrade?
Yes, by auditing discount redemption logs. Compare the count of orders that received each discount against the discount's configured usage_limit, focusing on high-traffic periods. If the actual redemption count exceeds the limit, over-redemption occurred. Document the discrepancy and estimate the financial impact for reconciliation purposes.
Does this vulnerability require a specific coupon code or discount structure?
No. Any discount configured with a usage_limit in Shopper versions before 2.8.0 is vulnerable. The race condition is inherent to the order-creation logic, not to specific discount types.
What should we do if we've already suffered over-redemption losses?
Contact affected customers and determine whether chargebacks or partial refunds are appropriate. Preserve all audit logs for potential dispute resolution. Ensure your upgrade to 2.8.0 is tested and deployed to prevent future occurrences, then implement the detection guidance above to catch any residual issues.
Is there a workaround if we cannot upgrade immediately?
Temporarily disable or severely limit coupon campaigns with high usage caps, and implement manual daily reconciliation of discount redemptions against limits. This is not a permanent solution and should be viewed as a bridge measure only.
This analysis is based on the CVE record and vendor advisory published 2026-05-29. No exploit code or weaponized proof-of-concept is provided or endorsed. Organizations should verify patch availability and compatibility against their Shopper deployment before applying updates. SEC.co makes no warranty regarding the completeness or accuracy of vulnerability details and recommends consulting official vendor documentation for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-46187MEDIUMLinux RSI Driver Use-After-Free Vulnerability (CVSS 4.7)
- CVE-2026-46272MEDIUMLinux CoreSight TMC-ETR Race Condition DoS
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10565LOWRace Condition in Open5GS NGAP Handover Affects 5G Service Continuity
- CVE-2026-10940HIGHChrome Windows Sandbox Escape via Codec Race Condition
- CVE-2026-46157HIGHLinux Kernel ALSA PCM OSS Data Race Vulnerability
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset