CVE-2026-46656

EUVD-2026-35081
Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been  physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GitHub_MCNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
bluditbludit
𝑥
< 3.22.0
CNA
Common Weakness Enumeration
References
https://github.com/bludit/bludit/commit/7931d1c55a3cc535911a9901c328f0197afe1c9f
https://github.com/bludit/bludit/releases/tag/3.22.0
https://github.com/bludit/bludit/security/advisories/GHSA-rpq2-j9w3-h4jw
https://github.com/bludit/bludit/security/advisories/GHSA-rpq2-j9w3-h4jw