CVE-2026-21446 – Bagisto Installer API Authentication Bypass
Product: Bagisto
Affected Versions: 2.3.0 – 2.3.9
Fixed Version: 2.3.10
Severity
- Severity Level: Critical
- Estimated CVSS v3.1 Score: 9.8
- Attack Vector: Network
- Privileges Required: None
- User Interaction: None
- Impact: Full system compromise
Exploitability
- Exploit Complexity: Low
- Exploit Availability: Publicly reproducible using direct API calls
- Authentication Required: No
Vulnerability Overview
This issue occurs because Bagisto does not properly disable its installer-related API routes after the application has been successfully installed. The installer APIs, which are intended to be accessible only during initial setup, remain exposed and functional in production environments.
The affected endpoints are located under:
/install/api/*These endpoints perform sensitive administrative operations such as initializing system configuration, writing environment variables, creating administrator accounts, and preparing database structures. Since there is no authentication or installation-state verification, any remote user can access these APIs directly.
Impact and Abuse Scenarios
An unauthenticated attacker can:
- Bypass the graphical installer completely
- Create one or more administrator accounts
- Change core application and database configuration
- Overwrite or reset existing application data
- Gain full administrative control over the platform
This vulnerability results in a total compromise of the application, including confidentiality, integrity, and availability.
Exploitation Flow
- Attacker identifies a live Bagisto instance
- Sends crafted HTTP requests to
/install/api/*endpoints - Installer logic executes without validation
- Administrative data is written to the system
- Attacker logs in using the newly created admin account
No prior access, credentials, or user interaction is required.
MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
- T1136.001 – Create Account: Local Account
- T1565.001 – Stored Data Manipulation
- T1505.003 – Web Shell (possible post-compromise activity)
Detection and Monitoring
Indicators of Compromise
- Requests to
/install/api/*on systems that are already installed - Unexpected admin account creation events
- Configuration changes without a valid admin session
Suspicious Payload Indicators
- JSON parameters containing:
admin_emailadmin_passwordapp_urldatabase_*values
Recommended Log Sources
- Web server access logs (Apache or Nginx)
- Laravel application logs
- Web Application Firewall logs
- Database audit logs
Example Detection Logic
If request_uri contains "/install/api/"
AND installation_status = completed
THEN raise alert for unauthorized installer API access
Remediation
- Upgrade to Bagisto version 2.3.10 immediately
- Block or remove
/installroutes at the web server level - Rotate all administrative credentials after patching
- Review logs for signs of exploitation
Official Patch
https://github.com/bagisto/bagisto/releases/tag/v2.3.10
CVE-2026-21448 – Bagisto Server-Side Template Injection (SSTI)
Product: Bagisto
Affected Versions: All versions prior to 2.3.10
Fixed Version: 2.3.10
Severity
- Severity Level: Critical
- Estimated CVSS v3.1 Score: 9.9
- Attack Vector: Network
- Privileges Required: Low (standard customer account)
- User Interaction: Administrator views order
- Impact: Remote Code Execution
Exploitability
- Exploit Complexity: Medium
- Exploit Availability: Practical and reproducible
- Authentication Required: Customer account only
Vulnerability Overview
This vulnerability is caused by improper handling of user-supplied input in Blade templates rendered within the Bagisto admin panel. Customer-provided address data entered during checkout is stored without sufficient sanitization and later rendered in administrative order views.
Because the data is interpreted within a server-side template context, attackers can inject Blade expressions that execute when the admin opens the affected order.
Attack Scenario
- Attacker registers as a normal customer
- Places an order on the site
- Injects template expressions into address fields
- Administrator opens the order in the admin panel
- Injected payload executes on the server
This attack leverages standard business functionality and does not raise immediate suspicion.
Payload Examples (Conceptual)
Expression Evaluation Test
{{ 7 * 7 }}Command Execution
{{ system('id') }}File Disclosure
{{ file_get_contents('/etc/passwd') }}Successful execution confirms server-side template injection and potential remote code execution.
MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
- T1059 – Command and Scripting Interpreter
- T1083 – File and Directory Discovery
- T1105 – Ingress Tool Transfer
Detection and Monitoring
Indicators of Suspicious Activity
- Address fields containing
{{,{!!, or PHP-like syntax - Unusual errors in Blade rendering logs
- Unexpected system command execution
Recommended Log Sources
- Laravel application logs
- Admin panel access logs
- Operating system command execution logs
- Error and exception logs
Detection Rule Example
If order_address contains "{{" or "}}"
THEN flag as potential SSTI attempt
Remediation
- Upgrade to Bagisto version 2.3.10
- Ensure all customer-controlled fields are escaped before rendering
- Avoid rendering untrusted data in server-side templates
- Review historical order data for injected payloads
Official Patch
https://github.com/bagisto/bagisto/releases/tag/v2.3.10
Final Risk Summary
- CVE-2026-21446: Allows unauthenticated attackers to gain full administrative control
- CVE-2026-21448: Allows low-privilege users to achieve remote code execution
Both issues represent critical risks and should be addressed immediately by upgrading to the fixed version and performing a full security review.
