Executive Summary

CVE-2026-21447 is an Insecure Direct Object Reference (IDOR) vulnerability in the Bagisto e-commerce platform's customer order reorder function. Before version 2.3.10, the system allowed any authenticated customer to manipulate the order ID parameter in the reorder URL to add items from another customer's order to their own shopping cart. This happened because the reorder function did not verify that the order belonged to the authenticated user, unlike other order-related functions. As a result, attackers could access and misuse other customers' order data. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to exposure of sensitive purchase information from other customers and enable potential fraud. An attacker can add items from another customer's order to their own cart, which could be used for social engineering or targeted attacks. The vulnerability has a high confidentiality impact, allowing unauthorized disclosure of purchase data, and a low integrity impact, as it allows limited data modification. It does not affect system availability. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the reorder endpoint for suspicious manipulation of the order ID parameter. Specifically, look for authenticated users accessing URLs like /reorder/{id} where the order ID does not belong to them. Commands to detect this could include analyzing web server logs or using tools like curl to test access control. For example, you can use curl to attempt accessing reorder URLs with different order IDs while authenticated to see if unauthorized orders can be accessed: curl -i -b cookies.txt https://yourbagistosite.com/reorder/{order_id}. Additionally, reviewing application logs for reorder requests and verifying if order ownership checks are enforced can help detect exploitation attempts. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Bagisto to version 2.3.10 or later, where the issue is patched. The patch enforces ownership verification in the reorder functionality by ensuring that only orders belonging to the authenticated customer can be reordered. If upgrading immediately is not possible, as a temporary measure, restrict access to the reorder endpoint or implement custom access control checks to verify order ownership before processing reorder requests. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability exposes sensitive purchase information of other customers due to improper access control, which can lead to unauthorized disclosure of personal data. Such exposure can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access. Therefore, the vulnerability poses a risk to compliance with these standards by allowing authenticated users to access data they should not have access to, potentially leading to privacy violations and associated legal consequences. [1]

Useful 0 Not Useful 0