Bluvoyix
CVE-2026-22238
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in to the newly-created admin user.
AnalysisAI
BLUVOYIX admin APIs allow unauthenticated creation of admin users, enabling complete platform takeover.
Technical ContextAI
Admin APIs lack authentication (CWE-269), allowing anyone to create admin accounts.
RemediationAI
Implement authentication on all APIs. Audit existing admin accounts.
BLUVOYIX exposes internal API documentation publicly, allowing attackers to discover and abuse internal functionality.
BLUVOYIX platform has unauthenticated API access allowing full customer data extraction and platform compromise.
Bluvoyix stores user passwords in plaintext and exposes them through unauthenticated APIs, allowing remote attackers to
BLUVOYIX's email sending API contains design flaws that permit unauthenticated attackers to send arbitrary emails on beh
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today