Cyber Resilience

CVE-2026-21446

HighPublic PoC

Published: 02 January 2026

Published
02 January 2026
Modified
08 January 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0058 43.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21446 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Webkul Bagisto. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-21446 is a critical vulnerability in Bagisto, an open-source Laravel-based eCommerce platform. It affects versions on the 2.3 branch prior to 2.3.10, where API routes under the /install/api/* path remain active and directly accessible even after the initial installation process is complete. These endpoints lack any authentication mechanisms, enabling exploitation without restrictions and stemming from a missing authentication check (CWE-306). The issue has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

Any unauthenticated remote attacker can exploit this vulnerability by directly invoking the installation API endpoints, bypassing the standard Bagisto installer (referred to as Ib installer). Successful exploitation allows the attacker to create administrative accounts, modify core application configurations, and potentially overwrite existing data in the database, granting full unauthorized control over the eCommerce instance.

The Bagisto security advisory (GHSA-6h7w-v2xr-mqvw) and associated commit (380c045e48490da740cd505fb192cc45e1809bed) confirm that upgrading to version 2.3.10 resolves the issue by disabling or securing these post-installation API routes. Security practitioners should immediately patch affected Bagisto deployments to 2.3.10 or later and verify that installation endpoints are not exposed.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication.…

more

An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote attackers to exploit public-facing API endpoints in the Bagisto eCommerce platform, enabling full unauthorized control via installation functions, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21448Same product: Webkul Bagisto
CVE-2026-21447Same product: Webkul Bagisto
CVE-2026-21450Same product: Webkul Bagisto
CVE-2026-21451Same product: Webkul Bagisto
CVE-2026-21449Same product: Webkul Bagisto
CVE-2025-67325Same vendor: Webkul
CVE-2026-38530Same vendor: Webkul
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306

Affected Assets

webkul
bagisto
2.3.0 — 2.3.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly identifies and restricts specific actions like accessing /install/api/* endpoints that are permitted without identification or authentication post-installation.

prevent

Enforces approved authorizations to block unauthenticated access to sensitive installation API endpoints that allow admin creation and configuration changes.

prevent

Restricts system to least functionality by disabling unnecessary installation API routes after initial setup, preventing their exposure and exploitation.

References