CVE-2026-21446

CriticalPublic PoC

Published: 02 January 2026

Published

02 January 2026

Modified

08 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 34.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication.…

An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly identifies and restricts specific actions like accessing /install/api/* endpoints that are permitted without identification or authentication post-installation.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to block unauthenticated access to sensitive installation API endpoints that allow admin creation and configuration changes.

CM-7 Least Functionality good match

prevent

Restricts system to least functionality by disabling unnecessary installation API routes after initial setup, preventing their exposure and exploitation.

Security SummaryAI

CVE-2026-21446 is a critical vulnerability in Bagisto, an open-source Laravel-based eCommerce platform. It affects versions on the 2.3 branch prior to 2.3.10, where API routes under the /install/api/* path remain active and directly accessible even after the initial installation process is complete. These endpoints lack any authentication mechanisms, enabling exploitation without restrictions and stemming from a missing authentication check (CWE-306). The issue has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

Any unauthenticated remote attacker can exploit this vulnerability by directly invoking the installation API endpoints, bypassing the standard Bagisto installer (referred to as Ib installer). Successful exploitation allows the attacker to create administrative accounts, modify core application configurations, and potentially overwrite existing data in the database, granting full unauthorized control over the eCommerce instance.

The Bagisto security advisory (GHSA-6h7w-v2xr-mqvw) and associated commit (380c045e48490da740cd505fb192cc45e1809bed) confirm that upgrading to version 2.3.10 resolves the issue by disabling or securing these post-installation API routes. Security practitioners should immediately patch affected Bagisto deployments to 2.3.10 or later and verify that installation endpoints are not exposed.

Details

CWE(s): CWE-306

Affected Products

webkul

bagisto

2.3.0 — 2.3.10

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote attackers to exploit public-facing API endpoints in the Bagisto eCommerce platform, enabling full unauthorized control via installation functions, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed
Patch · security-advisories@github.com
https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw
Exploit, Vendor Advisory · security-advisories@github.com