How is CVE-2026-46656 exploited?

Network reachability (required): The attacker must reach the Bludit service over the network; there is no requirement for local or physical access. Authentication (required): A low-privilege account is sufficient; the attacker only needs a valid session token that was issued before the account was deleted. Victim interaction (not-required): No user interaction is needed; the attacker exercises the ghost session directly without involving another party. Attack complexity (info): Exploitation is reliable and condition-free once a valid session token is in hand; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-46656?

Reads all CMS content, stored credentials, and configuration data accessible to the deleted account. Modifies or deletes published pages, posts, and site settings within the CMS. Creates or manipulates user accounts and access controls if the ghost session carried sufficient privileges. Disrupts normal CMS operation by altering or removing critical configuration files or content.

Back to search

HIGHCVE-2026-46656Published 2026-06-08Modified 2026-06-08CNA GitHub_M

CVE-2026-46656: Bludit CMS has improper authorization and mediation failure leading to persistent ghost sessions

Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper authorization flaw in Bludit CMS (versions before 3.22.0) allows session tokens belonging to deleted user accounts to remain fully valid, granting those accounts continued access to the system as so-called ghost sessions. The vulnerability is reachable over the network and requires only a low-privilege account credential, meaning any user whose account was deleted but whose session token was not explicitly invalidated retains complete access. Successful exploitation gives the attacker full read, write, and administrative access to the CMS, equivalent to an active authenticated user. HarborGuard tracks this advisory and will make a patched-image rebuild available at version 3.22.0 the moment an upstream fix is confirmed published.

HarborGuard Coverage

Detection

Detection of CVE-2026-46656 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Bludit. No manual feed configuration is required to receive coverage.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 (HIGH) and weighting it further against each environment's compliance policy before routing the alert to the appropriate team inbox within the customer org.

Available

Patch

Because no fix version has been confirmed published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 3.22.0 or a later upstream release is confirmed. For customers who opt into auto-remediation, the rebuild, regression test run, and a PR opened against affected workloads will trigger without manual intervention as soon as the fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Bludit service over the network; there is no requirement for local or physical access.
AuthenticationRequired
A low-privilege account is sufficient; the attacker only needs a valid session token that was issued before the account was deleted.
Victim interactionNot required
No user interaction is needed; the attacker exercises the ghost session directly without involving another party.
Attack complexityDetail
Exploitation is reliable and condition-free once a valid session token is in hand; no race conditions or special environmental factors are required.

Blast Radius

Reads all CMS content, stored credentials, and configuration data accessible to the deleted account.
Modifies or deletes published pages, posts, and site settings within the CMS.
Creates or manipulates user accounts and access controls if the ghost session carried sufficient privileges.
Disrupts normal CMS operation by altering or removing critical configuration files or content.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked and matched against any image in a customer registry or build pipeline that includes Bludit prior to version 3.22.0. Because no upstream fix version has been confirmed published at this time, HarborGuard re-checks the advisory on every ingest cycle. The moment a confirmed fix is published, a patched-image rebuild becomes available automatically; for customers who opt into auto-remediation, that triggers a rebuild, a regression test run, and a PR opened against affected workloads with no manual steps required. In the interim, compensating controls worth considering include network-policy isolation of the Bludit service to limit its exposure surface, egress filtering to reduce lateral-movement risk, and a manual audit of active session tokens to revoke any belonging to accounts that have been removed from the database.

See how HarborGuard automates this

Affected packages

bludit / bludit
< 3.22.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified