CVE-2026-46657

Published: Giu 08, 2026 Last Modified: Giu 08, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,1
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: low
Availability: none

Description

AI Translation Available

Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear the associated tokenAuth and tokenRemember fields in the JSON database. Consequently, any user with a pre-existing 'Remember Me' cookie can bypass the account disablement and maintain a valid authenticated state. Version 3.22.0 patches the issue.

212

Improper Removal of Sensitive Information Before Storage or Transfer

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality
Potential Impacts:
Read Files Or Directories Read Application Data
Applicable Platforms
All platforms may be affected
View CWE Details
613

Insufficient Session Expiration

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism
Applicable Platforms
Technologies: Web Based, Web Server
View CWE Details
https://github.com/bludit/bludit/security/advisories/GHSA-g…
https://github.com/bludit/bludit/security/advisories/GHSA-ggqg-xvx6-hgwh
https://github.com/bludit/bludit/releases/tag/3.22.0
https://github.com/bludit/bludit/releases/tag/3.22.0
https://github.com/bludit/bludit/security/advisories/GHSA-g…
https://github.com/bludit/bludit/security/advisories/GHSA-ggqg-xvx6-hgwh