CVE-2026-21446
9.8
Bagisto's Open House: How an AJAX Header Stole the Admin Panel
Alon Barad
Software EngineerJan 2, 2026·5 min read·13 visits
PoC Available
Executive Summary (TL;DR)
Bagisto left the installer routes active after installation but tried to hide them with a redirect. The catch? The redirect only applied to standard browser requests. By adding a simple `X-Requested-With: XMLHttpRequest` header, attackers can bypass the check, access the installer API, and overwrite the primary administrator account.
A logic flaw in Bagisto's installer middleware allows unauthenticated attackers to re-run the installation process via AJAX requests, enabling complete administrative takeover.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Systems
Bagisto eCommerce Platform
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Bagisto Webkul | >= 2.3.0, < 2.3.10 | 2.3.10 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-306 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network (Remote) |
| Authentication | None |
| Impact | Account Takeover / RCE |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
CWE-306
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Known Exploits & Detection
Vulnerability Timeline
CVE Published
2026-01-02
Patch Released (v2.3.10)
2026-01-02