CVE-2026-21447
IDOR Vulnerability in Bagisto Order Reorder Enables Fraud
Publication date: 2026-01-02
Last updated on: 2026-01-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bagisto | bagisto | to 2.3.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21447 is an Insecure Direct Object Reference (IDOR) vulnerability in the Bagisto e-commerce platform's customer order reorder function. Before version 2.3.10, the system allowed any authenticated customer to manipulate the order ID parameter in the reorder URL to add items from another customer's order to their own shopping cart. This happened because the reorder function did not verify that the order belonged to the authenticated user, unlike other order-related functions. As a result, attackers could access and misuse other customers' order data. [1]
How can this vulnerability impact me? :
This vulnerability can lead to exposure of sensitive purchase information from other customers and enable potential fraud. An attacker can add items from another customer's order to their own cart, which could be used for social engineering or targeted attacks. The vulnerability has a high confidentiality impact, allowing unauthorized disclosure of purchase data, and a low integrity impact, as it allows limited data modification. It does not affect system availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the reorder endpoint for suspicious manipulation of the order ID parameter. Specifically, look for authenticated users accessing URLs like /reorder/{id} where the order ID does not belong to them. Commands to detect this could include analyzing web server logs or using tools like curl to test access control. For example, you can use curl to attempt accessing reorder URLs with different order IDs while authenticated to see if unauthorized orders can be accessed: curl -i -b cookies.txt https://yourbagistosite.com/reorder/{order_id}. Additionally, reviewing application logs for reorder requests and verifying if order ownership checks are enforced can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Bagisto to version 2.3.10 or later, where the issue is patched. The patch enforces ownership verification in the reorder functionality by ensuring that only orders belonging to the authenticated customer can be reordered. If upgrading immediately is not possible, as a temporary measure, restrict access to the reorder endpoint or implement custom access control checks to verify order ownership before processing reorder requests. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes sensitive purchase information of other customers due to improper access control, which can lead to unauthorized disclosure of personal data. Such exposure can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access. Therefore, the vulnerability poses a risk to compliance with these standards by allowing authenticated users to access data they should not have access to, potentially leading to privacy violations and associated legal consequences. [1]