High severityOSV Advisory· Published Jan 2, 2026· Updated Jan 2, 2026
Bagisto has IDOR in Customer Order Reorder Functionality
CVE-2026-21447
Description
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bagisto/bagistoPackagist | < 2.3.10 | 2.3.10 |
Affected products
1Patches
1b2b1cf625772Fix security issue in customer order reorder
1 file changed · +6 −1
packages/Webkul/Shop/src/Http/Controllers/Customer/Account/OrderController.php+6 −1 modified@@ -62,7 +62,12 @@ public function view($id) */ public function reorder(int $id) { - $order = $this->orderRepository->findOrFail($id); + $order = $this->orderRepository->findOneWhere([ + 'customer_id' => auth()->guard('customer')->id(), + 'id' => $id, + ]); + + abort_if(! $order, 404); foreach ($order->items as $item) { try {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-x5rw-qvvp-5cgmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21447ghsaADVISORY
- github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3ghsax_refsource_MISCWEB
- github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.