CVE-2026-21446

Bagisto's Open House: How an AJAX Header Stole the Admin Panel

Alon Barad

Software Engineer

Jan 2, 2026·5 min read·7 visits

PoC Available

Executive Summary (TL;DR)

Bagisto left the installer routes active after installation but tried to hide them with a redirect. The catch? The redirect only applied to standard browser requests. By adding a simple `X-Requested-With: XMLHttpRequest` header, attackers can bypass the check, access the installer API, and overwrite the primary administrator account.

A logic flaw in Bagisto's installer middleware allows unauthenticated attackers to re-run the installation process via AJAX requests, enabling complete administrative takeover.

Attack Flow Diagram

Official Patches

BagistoOfficial patch commit

Fix Analysis (1)

Technical Appendix

CVSS Score

9.8/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Systems

Bagisto eCommerce Platform

Affected Versions Detail

Product	Affected Versions	Fixed Version
Bagisto Webkul	>= 2.3.0, < 2.3.10	2.3.10

Attribute	Detail
CWE ID	CWE-306
CVSS Score	9.8 (Critical)
Attack Vector	Network (Remote)
Authentication	None
Impact	Account Takeover / RCE
Exploit Status	PoC Available

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application

Initial Access

T1078Valid Accounts

Defense Evasion

CWE-306

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Known Exploits & Detection

N/AExploit methodology described in GHSA advisory

Vulnerability Timeline

CVE Published

2026-01-02

Patch Released (v2.3.10)

2026-01-02