How is CVE-2026-38329 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network; an attacker must be able to reach the Bludit API service via HTTP/HTTPS to deliver the malicious upload request. Authentication (not-required): No account credentials or session are required; possession of any valid API token is sufficient and the endpoint performs no further authorization checks. Victim interaction (not-required): Exploitation is fully automated and requires no action from any user on the target system. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, specific memory layout, or environmental prerequisites are needed to achieve code execution.

What is the impact of CVE-2026-38329?

An attacker executes arbitrary operating system commands and PHP code under the web server process account. All files readable by the web server process are exposed, including configuration files that may contain database credentials and API secrets. An attacker can write, overwrite, or delete any file the web server process has access to, altering application content and persisted data. The web server process can be crashed or consumed, taking the Bludit application offline for legitimate users.

Back to search

CRITICALCVE-2026-38329Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-38329: Bludit CMS before version 3

Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A remote code execution vulnerability exists in Bludit CMS before version 3.18.4, reachable over the network without any authentication. The POST /api/files/{key} endpoint in the API plugin skips both authorization checks and file extension validation, allowing any caller with a valid API token to upload a PHP script and run arbitrary code on the server. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Bludit CMS.

Available

Triage

HarborGuard scores this CVE at CVSS 9.8 Critical and is capable of weighting that score against each customer environment's compliance policy to determine urgency; findings are routed to the team inbox configured for the affected workload within each organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released upstream. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as the fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to reach the Bludit API service via HTTP/HTTPS to deliver the malicious upload request.
AuthenticationNot required
No account credentials or session are required; possession of any valid API token is sufficient and the endpoint performs no further authorization checks.
Victim interactionNot required
Exploitation is fully automated and requires no action from any user on the target system.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, specific memory layout, or environmental prerequisites are needed to achieve code execution.

Blast Radius

An attacker executes arbitrary operating system commands and PHP code under the web server process account.
All files readable by the web server process are exposed, including configuration files that may contain database credentials and API secrets.
An attacker can write, overwrite, or delete any file the web server process has access to, altering application content and persisted data.
The web server process can be crashed or consumed, taking the Bludit application offline for legitimate users.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for this CVE, HarborGuard continuously monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the moment a fix is published upstream. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls are worth applying at the environment level: restrict network policy so that the Bludit API port is not reachable from untrusted network segments, apply egress filtering on the container to limit what a compromised process can call out to, and consider disabling the API plugin via a feature flag or environment variable if the API is not required by your workload. HarborGuard will surface the availability of a patched rebuild as soon as upstream ships, with no manual polling needed from your team.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

gist.github.com

Metrics

Get notified