HIGH 8.8

CVE-2026-46656: Bludit Ghost Session Vulnerability – Broken Access Control Flaw

Bludit, a content management system, has a critical flaw in how it manages user sessions. When an administrator deletes a user account from the database, the system fails to invalidate that user's active login sessions. This means a deleted user can continue accessing the CMS with full privileges as if their account still existed—a "ghost session" vulnerability. The flaw affects all Bludit versions before 3.22.0 and is fixed in that release.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-285, CWE-613
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46656 is a broken access control vulnerability (CWE-285, CWE-613) in Bludit's session management layer. The root cause is improper session invalidation during user deletion operations. When a user record is removed from the database, the application does not revoke or check the validity of associated active sessions. An attacker with a deleted user account can replay or reuse their session token to authenticate and perform privileged operations—including content modification, user management, and system configuration—without re-authentication. The CVSS 3.1 score of 8.8 (HIGH) reflects the network-accessible attack vector, low complexity, low privilege requirement (session token), and complete confidentiality and integrity impact.

Business impact

This vulnerability creates persistent unauthorized access pathways for terminated or revoked users. In multi-tenant or corporate deployments, a departing employee or contractor could maintain administrative or editorial access indefinitely. The impact extends to data exfiltration, unauthorized content publication, system misconfiguration, and reputational harm. Organizations cannot reliably offboard users—session-based revocation fails entirely. Compliance frameworks (SOC 2, HIPAA, PCI-DSS) that mandate access control and user lifecycle management are directly violated.

Affected systems

Bludit versions prior to 3.22.0 are vulnerable. The vendor has not disclosed an exhaustive list of deployments; however, any Bludit instance running an affected version is at risk. This includes self-hosted CMS installations in small business, nonprofit, and enterprise environments where Bludit is used for public websites, internal knowledge bases, or documentation.

Exploitability

Exploitation requires an attacker to have or have had a valid user account and session token before deletion. Low complexity; no special tools or interaction needed beyond reusing an existing session. The attack is silent—no logs typically capture session reuse after account deletion. However, external threat actors must first gain initial account access, limiting opportunistic exploitation. Insider threats and account compromise scenarios are the highest-risk vectors.

Remediation

Upgrade to Bludit 3.22.0 or later. This version implements proper session invalidation on user deletion. Organizations should also audit active sessions for any accounts that have been deleted within the past 30–90 days and manually terminate those sessions. Review user offboarding procedures to ensure administrators are aware of this control gap until patched.

Patch guidance

Apply Bludit 3.22.0 immediately. Verify the patch through official Bludit release channels and checksums. Before patching, back up the database and configuration. Test in a staging environment if possible. The patch is a drop-in upgrade with no breaking changes documented. After patching, force re-authentication of all active users to clear any ghost sessions that may exist in the current session store.

Detection guidance

Monitor for session tokens being used after the corresponding user has been deleted. Log all user deletion events with timestamp and associated session identifiers. Correlate session activity (API calls, page views, admin actions) against the user account lifecycle table. Unusual administrative activity from deleted user accounts, or spikes in session reuse patterns, warrant investigation. Web application firewalls (WAFs) and intrusion detection systems (IDS) are unlikely to detect this pattern without custom rules tuned to user lifecycle events.

Why prioritize this

HIGH priority due to the 8.8 CVSS score, the persistence of the flaw (ghost sessions survive indefinitely), and the broad impact on access control. This is not an edge case—user deletion is a routine administrative operation, and the vulnerability affects every user removal. Organizations with rapid employee turnover or frequent contractor offboarding face elevated risk. The attack is difficult to detect in real time, increasing dwell time for unauthorized access.

Risk score, explained

CVSS 3.1 score of 8.8 is derived from: network-accessible attack vector (AV:N), low attack complexity (AC:L), low privilege level required (PR:L—a session token, which may be obtained via compromise or insider threat), no user interaction (UI:N), and impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The score reflects complete system compromise when a ghost session is exploited, balanced against the requirement for prior account access or token theft.

Frequently asked questions

Can we detect which deleted users had active sessions before upgrading?

Yes. Query the user deletion audit log and cross-reference deletion timestamps against session creation and last-activity timestamps in the session store (if retained). Sessions created before deletion and last active near or after deletion are suspicious. However, Bludit's default logging may not capture sufficient granularity. Enable verbose session logging before patching if possible.

Does this affect single-user or read-only Bludit instances?

Single-user instances are less exposed operationally, but the flaw is present. Read-only instances are still vulnerable if the deleted user had editor or admin roles before removal. An attacker reusing a deleted admin session could modify content or settings.

If we delete a user, should we manually clear their cookies from browsers?

Manual cookie clearing is not practical at scale. Instead, upgrade to 3.22.0 immediately and force a global re-authentication or session timeout (e.g., set session TTL to 1 hour). This forces all users, including those with ghost sessions, to re-authenticate.

Is there a workaround if we cannot patch immediately?

Implement a temporary mitigation: set session timeout to a short duration (e.g., 30 minutes) and monitor deletion audit logs daily. Identify deleted users with recent session activity and manually revoke those sessions from the admin panel, if the UI provides that capability. This is a stopgap; patching is mandatory.

This analysis is provided for informational purposes and does not constitute legal, compliance, or professional security advice. Organizations must independently verify the applicability of this vulnerability to their deployments and follow their own change management and testing procedures before applying patches. SEC.co does not warrant the accuracy or completeness of this analysis and is not liable for any damages arising from its use. Always consult official vendor advisories and release notes. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).