PatchSiren cyber security CVE debrief
CVE-2026-46656 bludit CVE debrief
CVE-2026-46656 is a high-severity vulnerability in Bludit, a content management system. Versions prior to 3.22.0 are affected by a Broken Access Control flaw, which allows active sessions to remain valid even after the corresponding user account has been physically deleted from the database. This 'Ghost Session' enables revoked users to maintain full unauthorized access to the system. The vulnerability has a CVSS score of 8.8 and is classified as HIGH. Version 3.22.0 fixes the issue.
- Vendor
- bludit
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Users of Bludit versions prior to 3.22.0 should be aware of this vulnerability and take immediate action to upgrade to the latest version.
Technical summary
The vulnerability is caused by a Broken Access Control flaw in Bludit versions prior to 3.22.0. This flaw allows active sessions to remain valid even after user account deletion, enabling revoked users to maintain unauthorized access.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Bludit version 3.22.0 or later to fix the issue.
- Review and revoke any active sessions of deleted user accounts.
Evidence notes
The CVE record (resourceLinkAnnotations: cve-org) and NVD detail (resourceLinkAnnotations: nvd) provide official information about the vulnerability. Additional details can be found in the source item URL (resourceLinkAnnotations: source-item) and source references (resourceLinkAnnotations: ref-4, ref-5, ref-6).
Official resources
CVE-2026-46656 was published on 2026-06-08T16:16:42.873Z and modified on 2026-06-09T13:57:49.980Z.