HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46657Published Modified CNA GitHub_M

CVE-2026-46657: Bludit's persistent authentication tokens not revoked upon account disablement

Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear the associated tokenAuth and tokenRemember fields in the JSON database. Consequently, any user with a pre-existing "Remember Me" cookie can bypass the account disablement and maintain a valid authenticated state. Version 3.22.0 patches the issue.

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication-bypass vulnerability in Bludit, an open-source flat-file content management system. It is reachable over the network by any user who holds a low-privilege account (or had one before it was disabled), and no further victim interaction is required. Successful exploitation lets a deactivated user maintain a fully authenticated session, bypassing the administrator's intent to revoke access and retaining read access to protected content along with limited write capability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-46657 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that package Bludit.

Available
Triage

Triage capability is available with the CVSS v3.1 score of 7.1 (HIGH), weighted against each customer environment's compliance policy to determine priority; findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the Bludit project ships version 3.22.0 or any earlier remediation release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once the fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Bludit application over the network; any internet-exposed or internally routable Bludit instance is in scope.

  • AuthenticationRequired

    The attacker must hold (or have previously held) a low-privilege Bludit account, because the bypass relies on a persistent token issued to that account before disablement.

  • Victim interactionNot required

    No victim action is needed; the attacker replays their existing Remember Me cookie autonomously.

  • Attack complexityDetail

    The exploit is reliable and condition-free: the attacker simply presents the stored cookie, with no race condition or environmental prerequisite involved.

Blast Radius

  • A deactivated user retains a fully authenticated session and can read protected CMS content, including unpublished drafts and any data accessible to their original role.
  • The attacker can perform limited write operations consistent with their former account privileges, such as modifying or creating content, depending on the role assigned before disablement.
  • Administrator-initiated access revocation is silently ineffective, meaning security-incident containment actions (disabling a compromised or departing user) do not achieve their intended result.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-46657 is active across connected registries and pipelines, and any image containing a Bludit version below 3.22.0 will be flagged at HIGH severity. Because no upstream patch has been published yet, HarborGuard monitors the Bludit advisory on every ingest cycle and will make a patched-image rebuild available automatically once version 3.22.0 or an equivalent fix is released. In the interim, compensating controls worth considering include network-policy isolation to restrict which principals can reach the Bludit service, egress filtering to reduce lateral movement if a deactivated account token is misused, and a manual token-clearing procedure (nulling the tokenAuth and tokenRemember fields in the JSON database for any disabled account) until the upstream fix is available. For customers with auto-remediation enabled, the moment a fix version is published HarborGuard will initiate a rebuild, run regression tests, and open a PR against affected workloads without requiring manual intervention.

See how HarborGuard automates this
Affected packages
  • bludit / bludit
    < 3.22.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
References