Main Vulnerability Database Vulnerabilities #VU127908

Missing Authentication for Critical Function in Bagisto - CVE-2026-21446

Published: April 25, 2026

Vulnerability identifier: #VU127908

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-21446

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Webkul Software Pvt. Ltd.

Affected software:
Bagisto

Detailed vulnerability description

The vulnerability allows a remote attacker to create administrative accounts and modify application configuration.

The vulnerability exists due to improper access control in installer API endpoints when handling direct requests to /install/api/* after installation is complete. A remote attacker can send a specially crafted request to create administrative accounts and modify application configuration.

The installer UI protections can be bypassed by directly invoking the API endpoints, and no CSRF token or session is required.

How to mitigate CVE-2026-21446

Install security update from vendor's website.

Sources

https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw

Missing Authentication for Critical Function in Bagisto - CVE-2026-21446

Detailed vulnerability description

How to mitigate CVE-2026-21446

Sources

Please verify you're human