How is CVE-2026-50869 exploited?

Network reachability (required): The attacker must be able to reach the Bludit api/plugin.php endpoint over the network; any internet-exposed or internally routable instance is in scope. Authentication (not-required): No account or credentials are needed; the malicious request can be sent by any unauthenticated party. Victim interaction (not-required): No user action is required; the attacker sends the crafted request directly to the server without involving any end user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental setup.

What is the impact of CVE-2026-50869?

Reads arbitrary files from the server filesystem, including configuration files, credentials, and application secrets stored outside the web root. Modifies or overwrites files accessible through the traversal path, corrupting application data or injecting malicious content. Disrupts availability of the Bludit service by deleting or corrupting critical application files. Provides a foothold for further compromise if read access exposes private keys, database passwords, or other authentication material.

Back to search

CRITICALCVE-2026-50869Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-50869: An issue in the api/plugin

An issue in the api/plugin.php component of Bludit v3.19.0 allows attackers to execute a directory traversal via supplying a crafted request.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A directory traversal vulnerability in the api/plugin.php component of Bludit v3.19.0 allows an unauthenticated attacker to send a crafted HTTP request over the network and navigate outside the intended file path boundaries. No authentication or victim interaction is needed, and the attack is reliable to execute. Successful exploitation gives an attacker full read access to sensitive files, the ability to tamper with stored data, and the ability to disrupt service availability. HarborGuard is tracking this advisory for patch availability as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Bludit v3.19.0. Any image containing the affected api/plugin.php component is flagged automatically at scan time.

Available

Triage

HarborGuard scores this finding at CVSS 9.8 Critical and weights it against each customer environment's compliance policy to determine urgency and routing. The resulting alert is delivered to the inbox or ticketing integration configured for the relevant team within that organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the meantime, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images containing this component.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Bludit api/plugin.php endpoint over the network; any internet-exposed or internally routable instance is in scope.
AuthenticationNot required
No account or credentials are needed; the malicious request can be sent by any unauthenticated party.
Victim interactionNot required
No user action is required; the attacker sends the crafted request directly to the server without involving any end user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental setup.

Blast Radius

Reads arbitrary files from the server filesystem, including configuration files, credentials, and application secrets stored outside the web root.
Modifies or overwrites files accessible through the traversal path, corrupting application data or injecting malicious content.
Disrupts availability of the Bludit service by deleting or corrupting critical application files.
Provides a foothold for further compromise if read access exposes private keys, database passwords, or other authentication material.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked and matched against all scanned images containing Bludit v3.19.0, including custom-built images, with results surfaced in each customer's dashboard at CVSS Critical priority. Because no upstream fix exists yet, HarborGuard re-evaluates the advisory on every ingest cycle and will automatically make a patched-image rebuild available as soon as Bludit ships a fix. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger without manual intervention the moment a fix version is published. While waiting for an upstream patch, recommended compensating controls include applying a network policy to restrict access to the api/plugin.php endpoint to trusted sources only, enabling egress filtering on containers running Bludit to limit post-exploitation reach, and considering feature-flag gating or WAF rules to block requests containing directory traversal sequences targeting the plugin API.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

gist.github.com

Metrics

Get notified