Token exchange shop context confusion may allow cross-shop authorization bypass in affected apps
Published: June 24, 2026
SECURITY IDENTIFIERS
- GHSA: GHSA-6j52-38f8-qhxr
- Vendor Advisory: https://github.com/Shopify/shopify_app/security/advisories/GHSA-6j52-38f8-qhxr
GEM
UNAFFECTED VERSIONS
< 22.1.0
PATCHED VERSIONS
>= 23.0.3
DESCRIPTION
Description
In token-exchange authenticated controllers, shopify_app exposes shop context through helpers such as current_shopify_domain. Prior to the fix, current_shopify_domain could resolve to the sanitized shop query parameter instead of the shop identity derived from the verified Shopify ID token or active Shopify session.
As a result, a request authenticated for one shop could include a different shop query parameter, causing application code to treat the requested shop as the current shop.
Applications that used current_shopify_domain, or the request shop parameter, for authorization decisions, tenant lookup, stored access-token selection, or shop-scoped data access may have been vulnerable to cross-shop context confusion.
The patched version hardens token-exchange handling so that:
current_shopify_domainresolves to the authenticated shop from the verified token or session.authenticated_shopify_domainexposes the trusted authenticated shop.requested_shopify_domainexposes the sanitized requested shop parameter for bootstrap or routing use cases only.- Token-exchange requests are rejected with
401 Unauthorizedwhen the requested shop does not match the authenticated shop.
RELATED
- https://rubygems.org/gems/shopify_app/versions/23.0.3
- https://github.com/Shopify/shopify_app/blob/v23.0.3/CHANGELOG.md#2303-june-24-2026
- https://github.com/Shopify/shopify_app/releases/tag/v23.0.3
- https://github.com/Shopify/shopify_app/pull/2081
- https://github.com/Shopify/shopify_app/security/advisories/GHSA-6j52-38f8-qhxr
