Description
Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue.
Published: 2026-06-08
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bludit CMS versions earlier than 3.22.0 allow an existing user session to continue after the corresponding account has been removed from the database. The persistence of the session is a broken access control flaw that permits revoked or deleted users to retain full system privileges. This weakness is identified as CWE-285 and CWE-613 and can result in unauthorized data modification, retrieval, or deployment of new content.

Affected Systems

The affected product is bludit:bludit. Versions prior to 3.22.0 are vulnerable, as the patch in the 3.22.0 release removes the ghost session behavior. Systems running these earlier releases should be identified and updated accordingly.

Risk and Exploitability

The CVSS v3.1 score of 8.8 classifies the vulnerability as High severity, indicating significant impact. The EPSS score is not available, but the lack of presence in the CISA KEV catalog suggests limited exploitation reports to date. The likely attack vector involves an attacker with temporary access to a valid session cookie before the user account is deleted; after the deletion the session still grants full control until it expires or the server restarts. As the flaw persists after account removal and requires no special privileges beyond the existing session, it can be exploited by anyone who obtains or retains a valid session token.

Generated by OpenCVE AI on June 8, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bludit to version 3.22.0 or later to apply the fix for ghost session validation.
  • If an immediate upgrade is not possible, manually clear or invalidate all active sessions for deleted user accounts by removing entries from the session store or restarting the application to terminate lingering tokens.
  • Implement session expiration policies and enforce automatic session invalidation upon account deletion to prevent a similar issue in future releases.

Generated by OpenCVE AI on June 8, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Bludit
Bludit bludit
Vendors & Products Bludit
Bludit bludit

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue.
Title Bludit CMS has improper authorization and mediation failure leading to persistent ghost sessions
Weaknesses CWE-285
CWE-613
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Bludit Bludit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-08T18:35:29.965Z

Reserved: 2026-05-15T20:11:54.585Z

Link: CVE-2026-46656

cve-icon Vulnrichment

Updated: 2026-06-08T18:34:38.803Z

cve-icon NVD

Status : Received

Published: 2026-06-08T16:16:42.873

Modified: 2026-06-08T19:16:46.110

Link: CVE-2026-46656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T16:45:26Z

Weaknesses