What is CVE-2026-21446?

A high-severity vulnerability in Webkul's Bagisto allows unauthenticated attackers to access sensitive API endpoints. Organizations must patch to prevent unauthorized access immediately.

What is the severity of CVE-2026-21446?

CVE-2026-21446 has a severity rating of HIGH with a CVSS base score of 8.8.

CVE-2026-21446 | High Vulnerability in Webkul Bagisto

CVE-2026-21446 is a high-severity vulnerability affecting Webkul's Bagisto, an open-source Laravel eCommerce platform. This vulnerability allows unauthenticated attackers to exploit active API routes that remain accessible even after the initial installation is complete. Specifically, the underlying API endpoints (`/install/api/*`) can be accessed without any form of authentication, allowing attackers to bypass the installer entirely.

The vulnerability was assigned a CVSS score of 8.8, indicating a high severity level. This score reflects the potential for significant impact, as attackers may create unauthorized admin accounts, modify application settings, and potentially overwrite critical data. It is crucial for organizations using affected versions of Bagisto to address this vulnerability promptly.

Organizations should prioritize patching immediately. The fixed version, Bagisto 2.3.10, addresses this issue, and users are urged to upgrade to this version to mitigate the risk associated with this vulnerability.

As of now, there is no known public exploit available, and the vulnerability is not included in the Known Exploited Vulnerabilities (KEV) catalog. However, the lack of authentication on critical API endpoints poses a serious risk, and attackers could exploit this vulnerability at any time.

Given the nature of the vulnerability, organizations must remain vigilant and ensure that they apply the necessary patches to prevent potential exploitation.

Vulnerability Details

Bagisto is an open-source Laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after the initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.

Technical Analysis

The root cause of this vulnerability lies in the improper handling of API endpoints during the installation phase. The attack vector is network-based, with low attack complexity, meaning that attackers do not require special privileges or user interaction to exploit the vulnerability. The vulnerability has a high impact on confidentiality and integrity, as unauthorized users can gain access to sensitive administrative functionalities.

Risk & Impact Analysis

Risk to organizations includes unauthorized access to sensitive data, modification of application settings, and potential data loss. The blast radius is significant, as any organization using affected versions of Bagisto is at risk. Given the high CVSS score of 8.8, organizations should address this vulnerability in their priority patch cycle.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerability affects all versions of Bagisto on the 2.3 branch prior to 2.3.10. Organizations are advised to upgrade to version 2.3.10 to mitigate the risk.

Mitigation & Remediation

Organizations should apply the patch available in version 2.3.10. If patching is not immediately possible, consider implementing network controls to restrict access to the API endpoints. Continuous monitoring for unusual access patterns can also help mitigate risks.

Detection Guidance

Monitor logs for unauthorized access attempts to API endpoints. Look for patterns of administrative changes or unexpected data modifications as indicators of potential exploit attempts.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2026-21446 highlights the importance of secure API design. Organizations must ensure that sensitive endpoints are protected even after installation processes are completed. This vulnerability serves as a reminder for security teams to continuously assess and validate their security controls against evolving threats.

Security teams can benefit from a comprehensive understanding of vulnerabilities like CVE-2026-21446 to improve overall security posture. Regular vulnerability assessments and timely patching are critical components of a robust security strategy.

For further insights, organizations should consider reviewing our penetration testing methodology and the importance of proactive security measures in mitigating risks from vulnerabilities.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-21446: High Vulnerability in Webkul Bagisto