Skip to main content

BloodHound CVE-2026-59255

| EUVDEUVD-2026-44754 HIGH
Missing Authorization (CWE-862)
2026-07-15 VulnCheck GHSA-7qmq-x64g-8v7j
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Network-reachable API with any authenticated user (PR:L, AC:L, UI:N); impact is integrity to the shared schema (I:H) with minor availability loss (A:L) and no confidentiality exposure.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 17:47 vuln.today
Analysis Generated
Jul 15, 2026 - 17:47 vuln.today
CVE Published
Jul 15, 2026 - 17:03 cve.org
HIGH 7.1

DescriptionCVE.org

BloodHound through 9.4.0, fixed in commit 8f79035, contains a missing authorization vulnerability in the custom-nodes API endpoints that allows any authenticated user to modify the global graph schema. Attackers with valid session tokens can create, update, or delete custom node types affecting all users and tenants by invoking unprotected POST, PUT, and DELETE operations on the custom-nodes endpoints.

AnalysisAI

Improper authorization in SpecterOps BloodHound through 9.4.0 lets any authenticated user tamper with the global custom-node graph schema by calling POST, PUT, and DELETE operations on the /api/v2/custom-nodes endpoints, which enforced only that a caller was logged in rather than that they held write permissions. Because custom node kinds are a shared, tenant-wide schema construct, a single low-privileged account can create, alter, or delete node types that affect every user and tenant on the instance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid BloodHound session token
Delivery
Reach /api/v2/custom-nodes API
Exploit
Send unauthorized POST/PUT/DELETE
Execution
Modify global custom node schema
Impact
Corrupt graph for all tenants

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session/token on the BloodHound instance (PR:L) and network reachability to the API's /api/v2/custom-nodes endpoints; no user interaction, no special product configuration, and no elevated role are needed because the vulnerable routes accepted any authenticated user via RequireAuth(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N, VC:N/VI:H/VA:L) is internally consistent with the description: network-reachable, low complexity, requires a low-privileged authenticated session, no user interaction, with the primary impact being integrity to the shared schema (VI:H) and minor availability degradation (VA:L), no confidentiality loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged analyst account (or an attacker who has obtained any valid session token) sends a crafted DELETE or PUT to /api/v2/custom-nodes to remove or alter custom node kinds, corrupting the graph schema for every user and tenant on the shared instance. Given AV:N/AC:L and publicly available exploit code, this is a simple authenticated HTTP request with no user interaction, usable to sabotage investigations or degrade the analysis environment.
Remediation Upgrade to a BloodHound release that includes the fix commit 8f790351349fd87bcb04377aba84cba6495825b3 (merged via PR #2989), which changes the custom-nodes routes from RequireAuth() to permission-gated RequirePermissions(OpenGraphRead) for reads and RequirePermissions(OpenGraphWrite) for the POST/PUT/DELETE mutations; a released patched version number is not stated in the input, so confirm the exact tagged release against the SpecterOps advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify your current BloodHound deployment version and confirm whether you are running 9.4.0 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy