RubySec

Providing security resources for the Ruby community

GHSA-6j52-38f8-qhxr (shopify_app): Token exchange shop context confusion may allow cross-shop authorization bypass in affected apps

Token exchange shop context confusion may allow cross-shop authorization bypass in affected apps

Published: June 24, 2026

SECURITY IDENTIFIERS

GEM

shopify_app

UNAFFECTED VERSIONS

< 22.1.0

PATCHED VERSIONS

>= 23.0.3

DESCRIPTION

Description

In token-exchange authenticated controllers, shopify_app exposes shop context through helpers such as current_shopify_domain. Prior to the fix, current_shopify_domain could resolve to the sanitized shop query parameter instead of the shop identity derived from the verified Shopify ID token or active Shopify session.

As a result, a request authenticated for one shop could include a different shop query parameter, causing application code to treat the requested shop as the current shop.

Applications that used current_shopify_domain, or the request shop parameter, for authorization decisions, tenant lookup, stored access-token selection, or shop-scoped data access may have been vulnerable to cross-shop context confusion.

The patched version hardens token-exchange handling so that:

  • current_shopify_domain resolves to the authenticated shop from the verified token or session.
  • authenticated_shopify_domain exposes the trusted authenticated shop.
  • requested_shopify_domain exposes the sanitized requested shop parameter for bootstrap or routing use cases only.
  • Token-exchange requests are rejected with 401 Unauthorized when the requested shop does not match the authenticated shop.

RELATED