Authorization bypass through user-controlled key in Bagisto - CVE-2026-21447
Published: April 25, 2026
Vulnerability identifier: #VU127909
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-21447
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Webkul Software Pvt. Ltd.
Affected software:
Bagisto
Bagisto
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive purchase information.
The vulnerability exists due to improper access control in the customer order reorder function in OrderController.php when handling reorder requests with a user-controlled order ID parameter. A remote user can manipulate the order ID parameter to add items from another customer's order to their own shopping cart and disclose sensitive purchase information.
The issue affects the reorder route and does not require user interaction.
How to mitigate CVE-2026-21447
Install security update from vendor's website.