DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-21446: Bagisto's Open House: How an AJAX Header Stole the Admin Panel

#security #cve #cybersecurity

Bagisto's Open House: How an AJAX Header Stole the Admin Panel

Vulnerability ID: CVE-2026-21446
CVSS Score: 9.8
Published: 2026-01-02

A logic flaw in Bagisto's installer middleware allows unauthenticated attackers to re-run the installation process via AJAX requests, enabling complete administrative takeover.

TL;DR

Bagisto left the installer routes active after installation but tried to hide them with a redirect. The catch? The redirect only applied to standard browser requests. By adding a simple X-Requested-With: XMLHttpRequest header, attackers can bypass the check, access the installer API, and overwrite the primary administrator account.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-306
  • CVSS Score: 9.8 (Critical)
  • Attack Vector: Network (Remote)
  • Authentication: None
  • Impact: Account Takeover / RCE
  • Exploit Status: PoC Available

Affected Systems

  • Bagisto eCommerce Platform
  • Bagisto: >= 2.3.0, < 2.3.10 (Fixed in: 2.3.10)

Code Analysis

Commit: 380c045

Fixed installer middleware bypass and hardened admin creation logic

@@ -15,7 +15,7 @@ public function handle(Request $request, Closure $next)
-            if ($this->isAlreadyInstalled() && ! $request->ajax()) {
-                return redirect()->route('shop.home.index');
-            }
+            if ($this->isAlreadyInstalled()) {
+                if ($request->ajax()) {
+                     return response()->json(['message' => trans('installer::app.already-installed')], 403);
+                }
+                return redirect()->route('shop.home.index');
+            }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • N/A: Exploit methodology described in GHSA advisory

Mitigation Strategies

  • Upgrade to Bagisto v2.3.10 or later immediately.
  • Implement web server rules (Nginx/Apache) to deny access to /install routes in production.
  • Monitor access logs for POST requests to /install/api/* with AJAX headers.

Remediation Steps:

  1. Back up your database and codebase.
  2. Run composer update to pull the latest Bagisto packages.
  3. Verify the version in composer.json is >= 2.3.10.
  4. Verify that /install returns a 404 or 403 when accessed via browser and curl.

References

Read the full report for CVE-2026-21446 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)