Description
Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.
Published: 2026-01-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated privilege escalation via exposed installer API endpoints
Action: Patch immediately
AI Analysis

Impact

Bagisto’s installer API routes remain accessible after the initial setup on versions prior to 2.3.10. The lack of authentication allows an attacker to create administrative accounts, alter configuration settings, and overwrite existing data, effectively granting full control over the e‑commerce site.

Affected Systems

The vulnerable product is the Bagisto eCommerce platform from Webkul. Any deployment running version 2.3 on the 2.3 branch earlier than 2.3.10 is affected; version 2.3.10 and later contain the fix.

Risk and Exploitability

The flaw is scored CVSS 8.8 indicating high severity, but the EPSS score is below 1% and it is not listed in KEV, suggesting low current exploitation likelihood. Nevertheless, the absence of authentication means that any unauthenticated user who can reach the web application can exploit the /install/api/* routes. Successful exploitation results in full administrative access and the ability to modify or delete application data, posing a severe threat to confidentiality, integrity, and availability.

Generated by OpenCVE AI on April 18, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bagisto to version 2.3.10 or newer, which removes the unauthenticated installer API endpoints.
  • If an immediate upgrade is not possible, disable or remove the /install/api/* routes from the application’s routing configuration or block them at the web server level.
  • Restrict access to the installer API endpoints by applying network-level controls, such as limiting connections to localhost, VPN, or specific IP ranges.

Generated by OpenCVE AI on April 18, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6h7w-v2xr-mqvw Bagisto Missing Authentication on Installer API Endpoints
History

Thu, 08 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 05 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Webkul
Webkul bagisto
Vendors & Products Webkul
Webkul bagisto

Fri, 02 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Description Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.
Title Bagisto Missing Authentication on Installer API Endpoints
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Webkul Bagisto
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-05T15:54:55.916Z

Reserved: 2025-12-29T03:00:29.277Z

Link: CVE-2026-21446

cve-icon Vulnrichment

Updated: 2026-01-05T15:54:52.277Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-02T20:16:18.020

Modified: 2026-01-08T21:25:06.213

Link: CVE-2026-21446

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses