CVE-2026-46656
8.8 HIGHBludit is a content management system
Published: 2026-06-08 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-285, CWE-613
Description
Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-46656
- [Other]https://github.com/bludit/bludit/commit/7931d1c55a3cc535911a9901c328f0197afe1c9f
- [Other]https://github.com/bludit/bludit/releases/tag/3.22.0
- [Other]https://github.com/bludit/bludit/security/advisories/GHSA-rpq2-j9w3-h4jw
- [Other]https://github.com/bludit/bludit/security/advisories/GHSA-rpq2-j9w3-h4jw
Related CVEs
Same CWE
- CVE-2026-47342 — A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue...
- CVE-2026-46668 — SpiceDB is an open source database system for creating and managing security-critical application permissions
- CVE-2026-47298 — Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network (8.0 HIGH)
- CVE-2026-45503 — Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network (8.1 HIGH)
- CVE-2026-45490 — Improper authorization in .NET allows an authorized attacker to elevate privileges locally (7.8 HIGH)