Bludit's user management logic fails to revoke persistent authentication tokens when an administrator disables an account, allowing the user to retain access via a pre‑existing Remember Me cookie. This flaw preserves both the tokenAuth and tokenRemember fields in the JSON database, thus bypassing account disablement and enabling the attacker to remain authenticated even after the account is marked inactive. The vulnerability is a direct authentication bypass and can lead to unauthorized activity within the CMS without requiring any additional credentials.

Bludit content management systems running any version prior to 3.22.0 are affected. The issue resides in the core user management and token handling code that is bundled with all releases before the 3.22.0 update. Users using older versions should verify installation version and upgrade as soon as possible.

The CVSS score of 7.1 classifies the issue as high severity. While no EPSS data is reported, the flaw admits exploitation as soon as a disabled account has an active Remember Me cookie and the attacker has previously authenticated. Because the token is stored in the database and is not invalidated, a simple client‑side cookie replay is sufficient. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread active exploitation, but the attack remains straightforward for anyone who can inject a valid cookie. Administrators should therefore consider the flaw high risk and treat it as a priority for remediation.