CVE-2026-21446

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-21446

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21446.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-21446

Aliases

GHSA-6h7w-v2xr-mqvw

Published

2026-01-02T19:18:36.095Z

Modified

2026-01-13T20:07:25.317589Z

Severity

8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Bagisto Missing Authentication on Installer API Endpoints

Details

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (/install/api/*) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.

Database specific

{
    "cwe_ids": [
        "CWE-306"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21446.json"
}

References

Affected packages

Git / github.com/bagisto/bagisto

Affected ranges

Type: GIT
Repo: https://github.com/bagisto/bagisto
Events: Introduced

722554b731c4f6eeb0fe1c041fca7568b5deb2e6

Fixed

813e28551dd1d3207b9e275e6c2bd63f68f0f8b0

Affected versions

v2.*

v2.2.10

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21446.json"