CVE-2026-59255

HIGH

BloodHound Missing Authorization on Custom Node Management API

Title source: cna
STIX 2.1

Description

BloodHound through 9.4.0, fixed in commit 8f79035, contains a missing authorization vulnerability in the custom-nodes API endpoints that allows any authenticated user to modify the global graph schema. Attackers with valid session tokens can create, update, or delete custom node types affecting all users and tenants by invoking unprotected POST, PUT, and DELETE operations on the custom-nodes endpoints.

References (4)

Core 4

Scores

CVSS v3 7.1
EPSS 0.0025
EPSS Percentile 15.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
SpecterOps/BloodHound < 9.4.0
SpecterOps/BloodHound 8f790351349fd87bcb04377aba84cba6495825b3
Published Jul 15, 2026
Tracked Since Jul 15, 2026