Intel

AIKIDO-2026-135231

shopify_app is vulnerable to Authorization Bypass

Authorization BypassGHSA-6j52-38f8-qhxr Published Jun 29, 2026

75

High Risk

This Affects:

RUBYshopify_app
22.1.0 - 23.0.2
Fixed in 23.0.3
Are you affected? Scan for Free

TL;DR

In token-exchange authenticated controllers, the current_shopify_domain helper resolves to the sanitized shop query parameter before falling back to the shop identity from the verified Shopify ID token or active session. An attacker holding a valid session token for one shop can send an authenticated request carrying a different shop parameter, causing application code that trusts current_shopify_domain or params[:shop] to operate in the context of the requested shop. This enables cross-shop authorization bypass, allowing access to another shop's data or shop-scoped actions. The fix resolves current_shopify_domain from the authenticated shop, adds authenticated_shopify_domain and requested_shopify_domain helpers, and rejects token-exchange requests with 401 Unauthorized when the requested shop does not match the authenticated shop.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses token-exchange authentication and relies on current_shopify_domain or the request shop parameter for authorization or shop-scoped data access.

Background info

shopify_app is vulnerable to Authorization Bypass in versions 22.1.0 - 23.0.2.

How to fix this

Upgrade the shopify_app library to the patch version.