CVE-2026-21447
Published: 02 January 2026
Summary
CVE-2026-21447 is a high-severity Improper Access Control (CWE-284) vulnerability in Webkul Bagisto. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-21447 is an Insecure Direct Object Reference (IDOR) vulnerability in Bagisto, an open-source Laravel eCommerce platform. Affecting versions prior to 2.3.10, the flaw exists in the customer order reorder function, where the order ID parameter can be manipulated. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) and maps to CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key).
Any authenticated customer can exploit this vulnerability remotely with low complexity and no user interaction required. By altering the order ID parameter, an attacker can add items from another customer's order to their own shopping cart, exposing sensitive purchase information and facilitating potential fraud.
Bagisto's security advisory (GHSA-x5rw-qvvp-5cgm) and the associated patch commit (b2b1cf62577245d03a68532478cffbe321df74d3) confirm that version 2.3.10 resolves the issue through server-side validation of order ownership. Security practitioners should urge administrators to upgrade to Bagisto 2.3.10 or later to mitigate exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-0748
Vulnerability details
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart…
more
by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing eCommerce app directly enables remote exploitation of authorization bypass for unauthorized data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks so an authenticated user cannot reorder items belonging to another customer's order ID.
Limits each customer account to only the order objects it owns, preventing cross-customer access even when the same role is used.
Requires validation of the user-supplied order ID against server-side ownership records before any reorder action is performed.