High severity8.8NVD Advisory· Published Jun 8, 2026· Updated Jun 8, 2026

CVE-2026-46656

Description

Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue.

Affected products

Bludit/Bluditllm-fuzzy
Range: <3.22.0

Patches

7931d1c55a3c

fix: invalidate sessions for disabled users (GHSA-q42h-wpg8-5wwf) (#1705)

https://github.com/bludit/bluditDiego NajarMay 8, 2026via nvd-ref

commit

2 files changed · +8 −0

bl-kernel/login.class.php+6 −0 modified

@@ -43,6 +43,12 @@ public function isLogged()
 		if (Session::get('fingerPrint') === $this->fingerPrint()) {
 			$username = Session::get('username');
 			if (!empty($username)) {
+				$userDB = $this->users->getUserDB($username);
+				if ($userDB === false || $userDB['password'] === '!') {
+					Log::set(__METHOD__ . LOG_SEP . 'User no longer exists or is disabled, destroying the session.');
+					Session::destroy();
+					return false;
+				}
 				return true;
 			} else {
 				Log::set(__METHOD__ . LOG_SEP . 'Session username empty, destroying the session.');

bl-kernel/users.class.php+2 −0 modified

@@ -57,6 +57,8 @@ public function exists($username)
 	public function disableUser($username)
 	{
 		$this->db[$username]['password'] = '!';
+		$this->db[$username]['tokenRemember'] = '';
+		$this->db[$username]['tokenAuth'] = $this->generateAuthToken();
 		return $this->save();
 	}

Vulnerability mechanics

Root cause

"Active sessions remain valid after the user account is deleted from the database."

Attack vector

An attacker with low-privilege access first establishes a session. The attacker then causes their user account to be physically deleted from the database. Because the application does not re-validate the session against the database on subsequent requests, the deleted user can maintain full unauthorized access to the system, including performing administrative actions [ref_id=1].

Affected code

The vulnerability exists in the isLogged() function within bl-kernel/login.class.php. The application relies on server-side session state stored in the `$_SESSION` global variable without re-validating the user's status against the database for subsequent requests [ref_id=1].

What the fix does

The patch modifies the isLogged() function to verify the legitimacy of the user against the database for every request. This implements the security principle of Complete Mediation, ensuring that sessions are only considered valid if the associated user account still exists and is active in the database [ref_id=1].

Preconditions

authAttacker must have an existing user account with at least low-privilege access.
inputAttacker must be able to trigger the deletion of their own user account.

Reproduction

1. Administrator creates two new users: 'admin2' (Admin role) and 'author' (Author role). 2. The main administrator proceeds to the deletion of both accounts using the 'Delete user and content' option. 3. Database Audit: A terminal check confirms that 'admin2' and 'author' entries have been completely removed from the JSON database. 4. Persistence Test: The deleted 'admin2' user, still using their 'Ghost Session', successfully publishes a new article. 5. Privilege Escalation: The deleted 'admin2' user accesses the 'Add New User' administrative form. 6. Full Web app compromise: The deleted user creates a new administrator account ('created_from_deleted_admin2'), effectively regaining permanent access to the CMS. [ref_id=1]

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000