High severityOSV Advisory· Published Jan 2, 2026· Updated Jan 5, 2026
Bagisto Missing Authentication on Installer API Endpoints
CVE-2026-21446
Description
Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (/install/api/*) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bagisto/bagistoPackagist | >= 2.3.0, < 2.3.10 | 2.3.10 |
Affected products
1Patches
1380c045e4849fix: fixed security issue in installer
26 files changed · +118 −26
packages/Webkul/Core/src/Traits/Sanitizer.php+2 −3 modified@@ -24,13 +24,12 @@ trait Sanitizer public function sanitizeSVG($path, $mimeType) { if ($this->checkMimeType($mimeType)) { - /* sanitizer instance */ $sanitizer = new MainSanitizer; - /* grab svg file */ + $sanitizer->removeRemoteReferences(true); + $dirtySVG = Storage::get($path); - /* save sanitized svg */ Storage::put($path, $sanitizer->sanitize($dirtySVG)); } }
packages/Webkul/Installer/src/Database/Seeders/User/AdminsTableSeeder.php+4 −0 modified@@ -20,6 +20,10 @@ public function run($parameters = []) $defaultLocale = $parameters['default_locale'] ?? config('app.locale'); + if (isset($parameters['skip_admin_creation']) && $parameters['skip_admin_creation']) { + return; + } + DB::table('admins')->insert([ 'id' => 1, 'name' => trans('installer::app.seeders.user.users.name', [], $defaultLocale),
packages/Webkul/Installer/src/Helpers/DatabaseManager.php+5 −4 modified@@ -71,10 +71,11 @@ public function migration() public function seeder($data) { $data['parameter'] = [ - 'default_locale' => $data['parameter']['default_locales'], - 'allowed_locales' => $data['parameter']['allowed_locales'], - 'default_currency' => $data['parameter']['default_currency'], - 'allowed_currencies' => $data['parameter']['allowed_currencies'], + 'default_locale' => $data['parameter']['default_locales'], + 'allowed_locales' => $data['parameter']['allowed_locales'], + 'default_currency' => $data['parameter']['default_currency'], + 'allowed_currencies' => $data['parameter']['allowed_currencies'], + 'skip_admin_creation' => $data['parameter']['skip_admin_creation'], ]; try {
packages/Webkul/Installer/src/Http/Controllers/InstallerController.php+15 −17 modified@@ -21,7 +21,7 @@ class InstallerController extends Controller * * @var string */ - const MIN_PHP_VERSION = '8.1.0'; + const MIN_PHP_VERSION = '8.2.0'; /** * Const Variable for Static Customer Id @@ -108,10 +108,11 @@ public function runSeeder() $parameter = [ 'parameter' => [ - 'default_locales' => $appLocale, - 'default_currency' => $appCurrency, - 'allowed_locales' => $allowedLocales, - 'allowed_currencies' => $allowedCurrencies, + 'default_locales' => $appLocale, + 'default_currency' => $appCurrency, + 'allowed_locales' => $allowedLocales, + 'allowed_currencies' => $allowedCurrencies, + 'skip_admin_creation' => true, ], ]; @@ -161,21 +162,18 @@ public function adminConfigSetup() $password = password_hash(request()->input('password'), PASSWORD_BCRYPT, ['cost' => 10]); try { - DB::table('admins')->updateOrInsert( - [ - 'id' => self::USER_ID, - ], [ - 'name' => request()->input('admin'), - 'email' => request()->input('email'), - 'password' => $password, - 'role_id' => 1, - 'status' => 1, - ] - ); + DB::table('admins')->insert([ + 'id' => self::USER_ID, + 'name' => request()->input('admin'), + 'email' => request()->input('email'), + 'password'=> $password, + 'role_id' => 1, + 'status' => 1, + ]); return true; } catch (\Throwable $th) { - Log::error('Error in Admin installer config setup'.$th->getMessage()); + Log::error('Error in Admin installer config setup: '.$th->getMessage()); return false; }
packages/Webkul/Installer/src/Http/Middleware/CanInstall.php+8 −2 modified@@ -18,8 +18,14 @@ class CanInstall public function handle(Request $request, Closure $next) { if (Str::contains($request->getPathInfo(), '/install')) { - if ($this->isAlreadyInstalled() && ! $request->ajax()) { - return redirect()->route('shop.home.index'); + if ($this->isAlreadyInstalled()) { + if (! $request->ajax()) { + return redirect()->route('shop.home.index'); + } + + return response()->json([ + 'message'=> trans('installer::app.installer.middleware.already-installed'), + ], 403); } } else { if (! $this->isAlreadyInstalled()) {
packages/Webkul/Installer/src/Resources/lang/ar/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'التطبيق مثبت بالفعل.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'مدير',
packages/Webkul/Installer/src/Resources/lang/bn/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'অ্যাপ্লিকেশন ইতিমধ্যেই ইনস্টল করা হয়েছে।', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'অ্যাডমিন',
packages/Webkul/Installer/src/Resources/lang/ca/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'L\'aplicació ja està instal·lada.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'Administrador',
packages/Webkul/Installer/src/Resources/lang/de/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'Anwendung ist bereits installiert.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'Administrator',
packages/Webkul/Installer/src/Resources/lang/en/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'Application is already installed.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'Admin',
packages/Webkul/Installer/src/Resources/lang/es/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'La aplicación ya está instalada.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'Administrador',
packages/Webkul/Installer/src/Resources/lang/fa/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'برنامه در حال حاضر نصب شده است.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'مدیر',
packages/Webkul/Installer/src/Resources/lang/fr/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'L\'application est déjà installée.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'Admin',
packages/Webkul/Installer/src/Resources/lang/he/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'האפליקציה כבר מותקנת.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'מנהל',
packages/Webkul/Installer/src/Resources/lang/hi_IN/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'एप्लिकेशन पहले से ही इंस्टॉल है।', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'व्यवस्थापक',
packages/Webkul/Installer/src/Resources/lang/id/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'Aplikasi sudah terinstall.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'Admin',
packages/Webkul/Installer/src/Resources/lang/it/app.php+4 −0 modified@@ -615,6 +615,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'L\'applicazione è già installata.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'Amministratore',
packages/Webkul/Installer/src/Resources/lang/ja/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'アプリケーションは既にインストールされています。', + ], + 'index' => [ 'create-administrator' => [ 'admin' => '管理者',
packages/Webkul/Installer/src/Resources/lang/nl/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'Applicatie is al geïnstalleerd.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'Beheerder',
packages/Webkul/Installer/src/Resources/lang/pl/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'Aplikacja jest już zainstalowana.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'Administrator',
packages/Webkul/Installer/src/Resources/lang/pt_BR/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'A aplicação já está instalada.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'Administrador',
packages/Webkul/Installer/src/Resources/lang/ru/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'Приложение уже установлено.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'Администратор',
packages/Webkul/Installer/src/Resources/lang/sin/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'අප්ලිකේෂනය පුවතිම ස්ාපිත වෙලා සිටි.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'පරිපාලක',
packages/Webkul/Installer/src/Resources/lang/tr/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'Uygulama zaten yüklü.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'Yönetici',
packages/Webkul/Installer/src/Resources/lang/uk/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => 'Додаток вже встановлено.', + ], + 'index' => [ 'create-administrator' => [ 'admin' => 'Адміністратор',
packages/Webkul/Installer/src/Resources/lang/zh_CN/app.php+4 −0 modified@@ -617,6 +617,10 @@ ], 'installer' => [ + 'middleware' => [ + 'already-installed' => '应用程序已经安装。', + ], + 'index' => [ 'create-administrator' => [ 'admin' => '管理员',
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-6h7w-v2xr-mqvwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21446ghsaADVISORY
- github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bedghsax_refsource_MISCWEB
- github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.