CVE-2026-21446

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

B

agisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.

References

Link	Resource
https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed	Patch
https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:*

History

08 Jan 2026, 21:25

Type	Values Removed	Values Added
References	~~() https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed -~~	() https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed - Patch
References	~~() https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw -~~	() https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw - Exploit, Vendor Advisory
First Time		Webkul bagisto Webkul
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:webkul:bagisto::::::::

02 Jan 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-02 20:16

Updated : 2026-01-08 21:25

NVD link : CVE-2026-21446

Mitre link : CVE-2026-21446

CVE.ORG link : CVE-2026-21446

JSON object : View

Products Affected

bagisto

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2026-21446", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-02T20:16:18.020", "references": [{"url": "https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue."}], "lastModified": "2026-01-08T21:25:06.213", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "284410C8-A6CA-4BA3-A484-8E4B8EE3DC4E", "versionEndExcluding": "2.3.10", "versionStartIncluding": "2.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}