What is the CVSS score of CVE-2026-46656?

CVE-2026-46656 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Bludit are affected by CVE-2026-46656?

Bludit CMS versions prior to 3.22.0 contain a broken access control vulnerability allowing deleted user accounts to maintain authenticated system access through persistent sessions.. A patch is available.

How to fix or mitigate CVE-2026-46656?

24 hours: Identify all Bludit CMS deployments, document versions, active users, and current sessions. 7 days: Implement emergency mitigations-enforce automatic session invalidation upon account deletion, limit session lifespans to maximum 24 hours, and enable IP address pinning. 30 days: Monitor Bludit project communications for patch release; prepare upgrade plan for all affected instances.

Bludit CVE-2026-46656

EUVD-2026-35081 HIGH

Improper Authorization (CWE-285)

2026-06-08 GitHub_M

Authentication Bypass Bludit

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

Jun 08, 2026 - 17:01 EUVD

Source Code Evidence Fetched

Jun 08, 2026 - 16:16 vuln.today

Analysis Generated

Jun 08, 2026 - 16:16 vuln.today

DescriptionGitHub Advisory

Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue.

AnalysisAI

Broken access control in Bludit CMS versions prior to 3.22.0 allows deleted user accounts to retain full authenticated access through pre-existing 'Ghost Sessions' that are never invalidated upon account removal. An authenticated attacker whose account is subsequently revoked can continue performing privileged operations until the session naturally expires. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain legitimate Bludit account

Delivery

Authenticate and capture session token

Exploit

Administrator deletes account

Execution

Replay existing session cookie

Persist

Bypass deleted-user check in isLogged()

Impact

Perform privileged CMS actions as ghost user

Access

Obtain legitimate Bludit account

Delivery

Authenticate and capture session token

Exploit

Administrator deletes account

Execution

Replay existing session cookie

Persist

Bypass deleted-user check in isLogged()

Impact

Perform privileged CMS actions as ghost user

Vulnerability AssessmentAI

Exploitation	Exploitation requires the attacker to have previously held a valid Bludit user account (any role) and to have an active authenticated session at the moment the administrator deletes that account; the original session cookie or tokenAuth must remain in the attacker's possession. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H yields 8.8 (High) and accurately reflects the scenario: a low-privileged authenticated user with an active session retains high-impact access after revocation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A contractor is granted an Editor account on a Bludit site and logs in, establishing an authenticated browser session. The site administrator later deletes the contractor's account at the end of the engagement, but the contractor continues using the still-valid session cookie to publish, modify, or delete content - and depending on their original role, potentially escalate or alter site configuration - until the session naturally expires.
Remediation	Vendor-released patch: upgrade to Bludit 3.22.0 or later, available at https://github.com/bludit/bludit/releases/tag/3.22.0; the underlying fix is commit 7931d1c55a3cc535911a9901c328f0197afe1c9f. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Bludit CMS deployments, document versions, active users, and current sessions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-46656 vulnerability details – vuln.today

Back

Bludit CVE-2026-46656

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code