CVE-2026-46656
HIGHBludit CMS has improper authorization and mediation failure leading to persistent ghost sessions
Title source: cnaDescription
Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue.
References (3)
Core 3
Core References
X_Refsource_Misc x_refsource_misc
https://github.com/bludit/bludit/releases/tag/3.22.0
X_Refsource_Confirm x_refsource_confirm
https://github.com/bludit/bludit/security/advisories/GHSA-rpq2-j9w3-h4jw
X_Refsource_Misc x_refsource_misc
https://github.com/bludit/bludit/commit/7931d1c55a3cc535911a9901c328f0197afe1c9f
Scores
CVSS v3
8.8
EPSS
0.0029
EPSS Percentile
20.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-285
CWE-613
Status
published
Products (1)
bludit/bludit
< 3.22.0
Published
Jun 08, 2026
Tracked Since
Jun 08, 2026