CVE-2026-21447

I'll Have What He's Having: IDOR in Bagisto eCommerce

Alon Barad
Alon Barad
Software Engineer

Jan 2, 2026·5 min read·2 visits

Executive Summary (TL;DR)

Bagisto trusted user input a little too much. By simply changing the Order ID in a reorder request, an attacker could force the application to fetch items from *anyone's* past order and dump them into their own shopping cart. It's the digital equivalent of reaching into someone else's grocery bag at the checkout line.

An Insecure Direct Object Reference (IDOR) in the Bagisto Laravel eCommerce platform allows authenticated users to 'reorder' items from any other customer's order history, effectively leaking purchasing habits and sensitive cart data.

Official Patches

BagistoOfficial fix commit on GitHub

Fix Analysis (1)

Technical Appendix

CVSS Score
7.1/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Affected Systems

Bagisto eCommerce Platform

Affected Versions Detail

Product
Affected Versions
Fixed Version
Bagisto
Bagisto
< 2.3.102.3.10
AttributeDetail
CWECWE-639 (Authorization Bypass Through User-Controlled Key)
CVSS v3.17.1 (High)
Attack VectorNetwork (Authenticated)
ImpactConfidentiality Loss (High)
Exploit StatusTrivial / PoC Available
Patch Date2025-12-23

MITRE ATT&CK Mapping

T1596Search Open Technical Databases
Reconnaissance
T1078Valid Accounts
Initial Access
T1213Data from Information Repositories
Collection
CWE-639
Insecure Direct Object Reference (IDOR)

The application does not verify that the user ID associated with the requested object matches the currently authenticated user, allowing access to unauthorized records.

Known Exploits & Detection

Manual AnalysisExploitation is trivial via manual manipulation of the URL ID parameter.

Vulnerability Timeline

Vendor releases patch (Commit b2b1cf62)
2025-12-23
CVE-2026-21447 assigned and published
2026-01-02
GHSA-x5rw-qvvp-5cgm advisory published
2026-01-02

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.