CVE-2026-46656 | THREATINT

Description

Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue.

PUBLISHED Reserved 2026-05-15 | Published 2026-06-08 | Updated 2026-06-08 | Assigner GitHub_M

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-285: Improper Authorization

CWE-613: Insufficient Session Expiration

Product status

< 3.22.0

affected

References

github.com/...bludit/security/advisories/GHSA-rpq2-j9w3-h4jw exploit

github.com/...bludit/security/advisories/GHSA-rpq2-j9w3-h4jw

github.com/...ommit/7931d1c55a3cc535911a9901c328f0197afe1c9f

github.com/bludit/bludit/releases/tag/3.22.0

cve.org (CVE-2026-46656)

nvd.nist.gov (CVE-2026-46656)

Download JSON