Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable API with any authenticated user (PR:L, AC:L, UI:N); impact is integrity to the shared schema (I:H) with minor availability loss (A:L) and no confidentiality exposure.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
BloodHound through 9.4.0, fixed in commit 8f79035, contains a missing authorization vulnerability in the custom-nodes API endpoints that allows any authenticated user to modify the global graph schema. Attackers with valid session tokens can create, update, or delete custom node types affecting all users and tenants by invoking unprotected POST, PUT, and DELETE operations on the custom-nodes endpoints.
AnalysisAI
Improper authorization in SpecterOps BloodHound through 9.4.0 lets any authenticated user tamper with the global custom-node graph schema by calling POST, PUT, and DELETE operations on the /api/v2/custom-nodes endpoints, which enforced only that a caller was logged in rather than that they held write permissions. Because custom node kinds are a shared, tenant-wide schema construct, a single low-privileged account can create, alter, or delete node types that affect every user and tenant on the instance. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session/token on the BloodHound instance (PR:L) and network reachability to the API's /api/v2/custom-nodes endpoints; no user interaction, no special product configuration, and no elevated role are needed because the vulnerable routes accepted any authenticated user via RequireAuth(). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N, VC:N/VI:H/VA:L) is internally consistent with the description: network-reachable, low complexity, requires a low-privileged authenticated session, no user interaction, with the primary impact being integrity to the shared schema (VI:H) and minor availability degradation (VA:L), no confidentiality loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged analyst account (or an attacker who has obtained any valid session token) sends a crafted DELETE or PUT to /api/v2/custom-nodes to remove or alter custom node kinds, corrupting the graph schema for every user and tenant on the shared instance. Given AV:N/AC:L and publicly available exploit code, this is a simple authenticated HTTP request with no user interaction, usable to sabotage investigations or degrade the analysis environment. |
| Remediation | Upgrade to a BloodHound release that includes the fix commit 8f790351349fd87bcb04377aba84cba6495825b3 (merged via PR #2989), which changes the custom-nodes routes from RequireAuth() to permission-gated RequirePermissions(OpenGraphRead) for reads and RequirePermissions(OpenGraphWrite) for the POST/PUT/DELETE mutations; a released patched version number is not stated in the input, so confirm the exact tagged release against the SpecterOps advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify your current BloodHound deployment version and confirm whether you are running 9.4.0 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Bloodhound
View allcomponents/Modals/HelpTexts/GenericAll/GenericAll.jsx in Bloodhound <= 4.0.1 allows remote attackers to execute arbitrar
components/Modals/HelpModal.jsx in BloodHound 2.2.0 allows remote attackers to execute arbitrary OS commands (by spawnin
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44754
GHSA-7qmq-x64g-8v7j