CVE-2026-21446
Published: 02 January 2026
Summary
CVE-2026-21446 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Webkul Bagisto. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly identifies and restricts specific actions like accessing /install/api/* endpoints that are permitted without identification or authentication post-installation.
Enforces approved authorizations to block unauthenticated access to sensitive installation API endpoints that allow admin creation and configuration changes.
Restricts system to least functionality by disabling unnecessary installation API routes after initial setup, preventing their exposure and exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote attackers to exploit public-facing API endpoints in the Bagisto eCommerce platform, enabling full unauthorized control via installation functions, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication.…
more
An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.
Deeper analysisAI
CVE-2026-21446 is a critical vulnerability in Bagisto, an open-source Laravel-based eCommerce platform. It affects versions on the 2.3 branch prior to 2.3.10, where API routes under the /install/api/* path remain active and directly accessible even after the initial installation process is complete. These endpoints lack any authentication mechanisms, enabling exploitation without restrictions and stemming from a missing authentication check (CWE-306). The issue has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
Any unauthenticated remote attacker can exploit this vulnerability by directly invoking the installation API endpoints, bypassing the standard Bagisto installer (referred to as Ib installer). Successful exploitation allows the attacker to create administrative accounts, modify core application configurations, and potentially overwrite existing data in the database, granting full unauthorized control over the eCommerce instance.
The Bagisto security advisory (GHSA-6h7w-v2xr-mqvw) and associated commit (380c045e48490da740cd505fb192cc45e1809bed) confirm that upgrading to version 2.3.10 resolves the issue by disabling or securing these post-installation API routes. Security practitioners should immediately patch affected Bagisto deployments to 2.3.10 or later and verify that installation endpoints are not exposed.
Details
- CWE(s)