CVE-2026-21446
Unknown Unknown - Not Provided
Unauthenticated Access in Bagisto 2.3 API Enables Admin Account Creation

Publication date: 2026-01-02

Last updated on: 2026-01-02

Assigner: GitHub, Inc.

Description
Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-01-02
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21446
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
bagisto bagisto to 2.3.10 (exc)
bagisto bagisto 2.3.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21446 is a critical vulnerability in Bagisto versions prior to 2.3.10 where API routes under /install/api/* remain accessible without authentication even after installation is complete. This allows an unauthenticated attacker to bypass the installer UI and directly call these API endpoints to create admin accounts, modify configurations, or overwrite data. The vulnerability exists because these installer API routes disable authentication middleware and lack checks to confirm if the application is already installed, exposing critical installer functions to anyone. [1]

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated attackers to gain full administrative control over the Bagisto application. Attackers can create new admin accounts, change application settings, and overwrite existing data, potentially leading to complete compromise of the eCommerce platform, data loss, unauthorized access, and disruption of business operations. [1]

Detection Guidance

You can detect this vulnerability by checking if the installer API endpoints under `/install/api/*` are accessible without authentication on your Bagisto 2.3 branch prior to 2.3.10. For example, you can use curl commands to send HTTP POST requests to these endpoints and observe if they respond without requiring authentication. A sample command to test admin account creation is: `curl -X POST http://your-bagisto-site/install/api/admin-config-setup`. If this request succeeds without authentication, your system is vulnerable. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade your Bagisto installation to version 2.3.10 or later, where this vulnerability is fixed. The fix involves adding server-side checks to ensure the application is fully installed before allowing access to installer API endpoints, returning a 404 response if accessed post-installation. Additionally, ensure that the installer API routes enforce authentication or installation state validation middleware. If upgrading immediately is not possible, restrict access to `/install/api/*` endpoints at the network or web server level to prevent unauthenticated access. [1, 2]

Compliance Impact

This vulnerability allows unauthenticated attackers to create admin accounts, modify configurations, and overwrite data in the Bagisto platform, potentially leading to unauthorized access and data breaches. Such unauthorized administrative access and data manipulation could result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. Therefore, exploitation of this vulnerability could compromise compliance by exposing sensitive data and administrative controls to attackers. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21446. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart