Bagisto Missing Authentication on Installer API Endpoints_CVE-2026-21446

8.8 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Description

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.

AI Analysis

Missing authentication on installer API endpoints allows unauthenticated attackers to create admin accounts, modify configurations, and overwrite data.

Basic Information

ID CVE-2026-21446

Source GitHub_M

Published Jan 2, 2026 at 19:18

Affected Product

Vendor bagisto

Product bagisto

Version >= 2.3.0, < 2.3.10

Affected Versions bagisto bagisto >= 2.3.0, < 2.3.10

CWE Classification

CWE-306

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Bagisto

Product Bagisto eCommerce Platform

Version 2.3.0 to 2.3.9

References

{
    "lastseen": "",
    "description": "Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.",
    "published": "2026-01-02T19:18:36.095Z",
    "modified": "2026-01-02T19:18:36.095Z",
    "type": "cve",
    "title": "Bagisto Missing Authentication on Installer API Endpoints",
    "source": "GitHub_M",
    "references": "https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw\nhttps://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed",
    "id": "CVE-2026-21446",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "bagisto bagisto >= 2.3.0, < 2.3.10",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "bagisto",
    "version": ">= 2.3.0, < 2.3.10",
    "vendor": "bagisto",
    "ai_description": "Missing authentication on installer API endpoints allows unauthenticated attackers to create admin accounts, modify configurations, and overwrite data.",
    "ai_severity": "High",
    "ai_vendor": "Bagisto",
    "ai_product": "Bagisto eCommerce Platform",
    "ai_version": "2.3.0 to 2.3.9",
    "ai_score": 8.8
}