CVE-2026-46656
HIGH
8,8
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Description
AI Translation Available
Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This 'Ghost Session' allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue.
285
Improper Authorization
DraftCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Access Control
Potential Impacts:
Read Application Data
Read Files Or Directories
Modify Application Data
Modify Files Or Directories
Gain Privileges Or Assume Identity
Execute Unauthorized Code Or Commands
Applicable Platforms
Technologies:
Not Technology-Specific, Web Server, Database Server
613
Insufficient Session Expiration
IncompleteCommon Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism
Applicable Platforms
Technologies:
Web Based, Web Server
https://github.com/bludit/bludit/security/advisories/GHSA-rpq2-j9w3-h4jw
https://github.com/bludit/bludit/commit/7931d1c55a3cc535911a9901c328f0197afe1c9f
https://github.com/bludit/bludit/releases/tag/3.22.0
https://github.com/bludit/bludit/security/advisories/GHSA-rpq2-j9w3-h4jw