CVE-2026-21447: Bagisto has IDOR in Customer Order Reorder Functionality

January 2, 2026

An Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer’s order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud.

References

github.com/advisories/GHSA-x5rw-qvvp-5cgm
github.com/bagisto/bagisto
github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3
github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm
nvd.nist.gov/vuln/detail/CVE-2026-21447

Code Behaviors & Features

Detect and mitigate CVE-2026-21447 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →