CVE-2026-21447
7.1
I'll Have What He's Having: IDOR in Bagisto eCommerce
Alon Barad
Software EngineerJan 2, 2026·5 min read·2 visits
PoC Available
Executive Summary (TL;DR)
Bagisto trusted user input a little too much. By simply changing the Order ID in a reorder request, an attacker could force the application to fetch items from *anyone's* past order and dump them into their own shopping cart. It's the digital equivalent of reaching into someone else's grocery bag at the checkout line.
An Insecure Direct Object Reference (IDOR) in the Bagisto Laravel eCommerce platform allows authenticated users to 'reorder' items from any other customer's order history, effectively leaking purchasing habits and sensitive cart data.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
7.1/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:NAffected Systems
Bagisto eCommerce Platform
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Bagisto Bagisto | < 2.3.10 | 2.3.10 |
| Attribute | Detail |
|---|---|
| CWE | CWE-639 (Authorization Bypass Through User-Controlled Key) |
| CVSS v3.1 | 7.1 (High) |
| Attack Vector | Network (Authenticated) |
| Impact | Confidentiality Loss (High) |
| Exploit Status | Trivial / PoC Available |
| Patch Date | 2025-12-23 |
MITRE ATT&CK Mapping
CWE-639
Insecure Direct Object Reference (IDOR)
The application does not verify that the user ID associated with the requested object matches the currently authenticated user, allowing access to unauthorized records.
Known Exploits & Detection
Vulnerability Timeline
Vendor releases patch (Commit b2b1cf62)
2025-12-23
CVE-2026-21447 assigned and published
2026-01-02
GHSA-x5rw-qvvp-5cgm advisory published
2026-01-02