CVE-2026-21446Missing Authentication for Critical Function in Bagisto

CWE-306Missing Authentication for Critical Function5 documents5 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 66.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Webkul BagistoBagisto
Timeline
PublishedJan 2

Description

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwri

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDwebkul/bagisto2.3.02.3.10
Packagistbagisto/bagisto2.3.02.3.10
CVEListV5bagisto/bagisto>= 2.3.0, < 2.3.10

Patches

Patch: github.com

🔴Vulnerability Details

3
CVEList
Bagisto Missing Authentication on Installer API Endpoints2026-01-02
OSV
Bagisto Missing Authentication on Installer API Endpoints2026-01-02
GHSA
Bagisto Missing Authentication on Installer API Endpoints2026-01-02

🕵️Threat Intelligence

1
Wiz
CVE-2026-21446 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-21446 — Webkul Bagisto vulnerability | cvebase