CVE-2026-46656

HIGH 8.8

Bludit CMS has improper authorization and mediation failure leading to persistent ghost sessions

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue.

CWE	CWE-285 CWE-613
Vendor	bludit
Product	bludit
Published	Jun 8, 2026
Last Updated	Jun 8, 2026

Stay Ahead of the Next One

Get instant alerts for bludit bludit

Be the first to know when new high vulnerabilities affecting bludit bludit are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

bludit / bludit

< 3.22.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/bludit/bludit/security/advisories/GHSA-rpq2-j9w3-h4jw github.com: https://github.com/bludit/bludit/commit/7931d1c55a3cc535911a9901c328f0197afe1c9f github.com: https://github.com/bludit/bludit/releases/tag/3.22.0