CVE-2026-46657: Bludit Account Disablement Bypass via Persistent Authentication Tokens
Bludit, a content management system, contains a flaw in how it handles user account deactivation. When an administrator disables a user account, the system fails to clear the authentication tokens stored locally. This means a user who previously selected "Remember Me" can continue accessing the system even after their account has been disabled by an administrator. The vulnerability requires the attacker to have had legitimate access before being deactivated, but once disabled, they can maintain that access indefinitely unless the underlying token data is manually cleared.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-212, CWE-613
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear the associated tokenAuth and tokenRemember fields in the JSON database. Consequently, any user with a pre-existing "Remember Me" cookie can bypass the account disablement and maintain a valid authenticated state. Version 3.22.0 patches the issue.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46657 affects Bludit versions prior to 3.22.0. The vulnerability stems from incomplete session invalidation in the user management module. When an administrator deactivates a user account, the application fails to null or remove the tokenAuth and tokenRemember fields from the JSON database backend. An authenticated user with a valid "Remember Me" cookie can exploit this by replaying the persistent authentication token, bypassing the account disablement check and maintaining an authenticated session. The issue is rooted in CWE-212 (Improper Cross-Boundary Neutralization) and CWE-613 (Insufficient Session Expiration), indicating both a logic error in token handling and inadequate session lifecycle management.
Business impact
This vulnerability creates a post-termination access risk for any organization using Bludit. When an administrator removes a user's access—whether due to role change, termination, or security incident response—that user may retain unauthorized system access through their persistent authentication token. For content management systems, this can lead to unauthorized content modification, data exfiltration, or insertion of malicious content. The impact is heightened if terminated users had elevated privileges or access to sensitive content. The persistence of the authentication token means the compromise can go undetected until the underlying database is inspected or token data is manually purged.
Affected systems
All Bludit installations running versions prior to 3.22.0 are vulnerable. The flaw affects any user account that was deactivated while the user had an active "Remember Me" session. The vulnerability does not require network-level changes or complex exploitation; it is entirely dependent on the application's token handling logic. Self-hosted Bludit deployments are most affected, as administrators have direct control over account disablement actions.
Exploitability
Exploitation requires an authenticated user who previously logged in with the "Remember Me" option enabled. Once that user's account is disabled by an administrator, the attacker can exploit the flaw by using the stored persistent authentication cookie to regain access. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U) reflects that network access is required, prior login privileges are needed, and no user interaction is required once the token is replayed. The attack is straightforward and does not require specialized tools or extensive reconnaissance. However, the initial access requirement (PR:L) limits the attack surface to users or former users of the system.
Remediation
Upgrade Bludit to version 3.22.0 or later. This patched version resolves the token invalidation issue by properly clearing tokenAuth and tokenRemember fields when an account is deactivated. Organizations running vulnerable versions should prioritize this upgrade, particularly if they have recently terminated users or made significant access control changes. Before upgrading, administrators should audit the JSON database to identify any deactivated accounts with lingering tokens and manually remove them as an interim mitigation.
Patch guidance
Verify that Bludit has been upgraded to version 3.22.0 or a later release through the Bludit update mechanism or vendor advisory. After patching, perform a database review to ensure no legacy authentication tokens remain from previously deactivated accounts. Test the account disablement workflow to confirm that deactivated users are unable to access the system, even if they attempt to use stored authentication cookies. If deploying in a production environment, stage the upgrade in a test environment first to validate compatibility with custom themes, plugins, or configurations.
Detection guidance
Monitor Bludit's authentication logs for access attempts from deactivated or disabled user accounts. Implement detection for successful authentications using persistent tokens ("Remember Me" cookies) shortly after an account disablement event. Review the JSON database for deactivated accounts that still contain non-null tokenAuth or tokenRemember values; their presence indicates incomplete token invalidation. Consider implementing alerts on account disablement actions that do not correlate with downstream token cleanup. Log aggregation and SIEM integration can help correlate account disablement events with subsequent access attempts.
Why prioritize this
This vulnerability merits high priority due to its alignment with post-compromise access retention and insider risk scenarios. The flaw directly undermines administrative access controls—a core security function—by allowing deactivated accounts to maintain access. The attack vector is practical and requires no special privileges beyond previous legitimate access. For organizations managing multiple content editors or in high-turnover environments, the risk compounds with each account disablement. The HIGH CVSS score (7.1) and the direct impact on confidentiality and integrity of managed content justify expedited patching.
Risk score, explained
The CVSS 3.1 score of 7.1 (HIGH) reflects a network-accessible vulnerability with low attack complexity that significantly impacts confidentiality (information disclosure from unintended access) and partially impacts integrity (potential unauthorized content modification). The requirement for prior login privileges (PR:L) prevents widespread exploitation but does not diminish the risk for organizations with active user bases. The lack of availability impact (A:N) and the unchanged security scope (S:U) moderate the score slightly, but the combination of weak session management and the ability to circumvent administrative access controls justifies the HIGH severity rating.
Frequently asked questions
Can an attacker without prior access to Bludit exploit this vulnerability?
No. The vulnerability requires that the attacker had legitimate access to Bludit before their account was deactivated and that they had enabled the "Remember Me" option during login. An external attacker with no prior account cannot exploit this flaw; it is exclusively a post-termination or post-revocation access issue.
Does upgrading to 3.22.0 remove existing invalid tokens from deactivated accounts?
Upgrading to 3.22.0 stops the creation of new situations where deactivated accounts retain tokens, but it does not automatically purge tokens left behind by the old behavior. After upgrading, manually audit and clean the JSON database to remove tokenAuth and tokenRemember fields from any deactivated accounts as a precautionary measure.
How can I identify whether this vulnerability has been exploited in my Bludit installation?
Review authentication logs for successful logins from accounts you know to be deactivated or disabled. Additionally, query the JSON database to identify deactivated user accounts with non-null tokenAuth or tokenRemember values; their presence suggests potential exploitation paths. Search for any suspicious content changes or administrative actions performed after account disablement.
Is this vulnerability currently being exploited in the wild?
As of the publication date, this vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation in the wild. However, the relative ease of exploitation once a user has been deactivated means proactive patching remains important.
This analysis is provided for informational purposes and represents the assessment of SEC.co based on the published CVE record and vendor advisory. Readers should verify patch availability and version numbers directly against official Bludit releases and security announcements. Organizations should test patches in non-production environments before deployment. SEC.co does not provide legal or compliance advice; organizations should assess their own regulatory obligations regarding access control remediation timelines. This page does not constitute a substitute for vendor security bulletins or professional security consultation. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-44648HIGHSillyTavern Session Expiration Vulnerability – Account Takeover Risk
- CVE-2026-46656HIGHBludit Ghost Session Vulnerability – Broken Access Control Flaw
- CVE-2026-36178MEDIUMGNCC GP5 Factory Reset Leaves Cryptographic Keys Uncleared
- CVE-2026-48726MEDIUMApache Airflow JWT Token Revocation Bypass in FAB and Keycloak Logout
- CVE-2026-9802MEDIUMKeycloak Refresh Token Replay After Revocation
- CVE-2016-20062HIGHSQL Injection in Simply Poll 1.4.1 WordPress Plugin - Unauthenticated Data Theft
- CVE-2016-20063HIGHSQL Injection in Single Personal Message 1.0.3 – Credential & Data Theft Risk
- CVE-2016-20065HIGHUnauthenticated SQL Injection in Product Catalog 8 WordPress Plugin