Cyber Resilience

CVE-2026-21447

HighPublic PoC

Published: 02 January 2026

Published
02 January 2026
Modified
08 January 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0001 2.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21447 is a high-severity Improper Access Control (CWE-284) vulnerability in Webkul Bagisto. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-21447 is an Insecure Direct Object Reference (IDOR) vulnerability in Bagisto, an open-source Laravel eCommerce platform. Affecting versions prior to 2.3.10, the flaw exists in the customer order reorder function, where the order ID parameter can be manipulated. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) and maps to CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key).

Any authenticated customer can exploit this vulnerability remotely with low complexity and no user interaction required. By altering the order ID parameter, an attacker can add items from another customer's order to their own shopping cart, exposing sensitive purchase information and facilitating potential fraud.

Bagisto's security advisory (GHSA-x5rw-qvvp-5cgm) and the associated patch commit (b2b1cf62577245d03a68532478cffbe321df74d3) confirm that version 2.3.10 resolves the issue through server-side validation of order ownership. Security practitioners should urge administrators to upgrade to Bagisto 2.3.10 or later to mitigate exploitation.

EU & UK References

Vulnerability details

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart…

more

by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

IDOR in public-facing eCommerce app directly enables remote exploitation of authorization bypass for unauthorized data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21446Same product: Webkul Bagisto
CVE-2026-21448Same product: Webkul Bagisto
CVE-2026-21450Same product: Webkul Bagisto
CVE-2026-21451Same product: Webkul Bagisto
CVE-2026-21449Same product: Webkul Bagisto
CVE-2026-38530Same vendor: Webkul
CVE-2025-67325Same vendor: Webkul
CVE-2026-38532Same vendor: Webkul
CVE-2026-20897Shared CWE-284, CWE-639
CVE-2026-25758Shared CWE-284, CWE-639

Affected Assets

webkul
bagisto
≤ 2.3.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks so an authenticated user cannot reorder items belonging to another customer's order ID.

prevent

Limits each customer account to only the order objects it owns, preventing cross-customer access even when the same role is used.

prevent

Requires validation of the user-supplied order ID against server-side ownership records before any reorder action is performed.

References