CVE-2026-21446
Unauthenticated Access in Bagisto 2.3 API Enables Admin Account Creation
Publication date: 2026-01-02
Last updated on: 2026-01-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bagisto | bagisto | to 2.3.10 (exc) |
| bagisto | bagisto | 2.3.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21446 is a critical vulnerability in Bagisto versions prior to 2.3.10 where API routes under /install/api/* remain accessible without authentication even after installation is complete. This allows an unauthenticated attacker to bypass the installer UI and directly call these API endpoints to create admin accounts, modify configurations, or overwrite data. The vulnerability exists because these installer API routes disable authentication middleware and lack checks to confirm if the application is already installed, exposing critical installer functions to anyone. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows unauthenticated attackers to gain full administrative control over the Bagisto application. Attackers can create new admin accounts, change application settings, and overwrite existing data, potentially leading to complete compromise of the eCommerce platform, data loss, unauthorized access, and disruption of business operations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the installer API endpoints under `/install/api/*` are accessible without authentication on your Bagisto 2.3 branch prior to 2.3.10. For example, you can use curl commands to send HTTP POST requests to these endpoints and observe if they respond without requiring authentication. A sample command to test admin account creation is: `curl -X POST http://your-bagisto-site/install/api/admin-config-setup`. If this request succeeds without authentication, your system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade your Bagisto installation to version 2.3.10 or later, where this vulnerability is fixed. The fix involves adding server-side checks to ensure the application is fully installed before allowing access to installer API endpoints, returning a 404 response if accessed post-installation. Additionally, ensure that the installer API routes enforce authentication or installation state validation middleware. If upgrading immediately is not possible, restrict access to `/install/api/*` endpoints at the network or web server level to prevent unauthenticated access. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to create admin accounts, modify configurations, and overwrite data in the Bagisto platform, potentially leading to unauthorized access and data breaches. Such unauthorized administrative access and data manipulation could result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. Therefore, exploitation of this vulnerability could compromise compliance by exposing sensitive data and administrative controls to attackers. [1]