VYPR
← All advisories
High severity7.1NVD Advisory· Published Jun 8, 2026· Updated Jun 8, 2026

CVE-2026-46657

CVE-2026-46657

Description

Bludit CMS versions before 3.22.0 allow deactivated users to maintain access via persistent authentication tokens, bypassing account disablement.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Bludit CMS versions before 3.22.0 allow deactivated users to maintain access via persistent authentication tokens, bypassing account disablement.

Vulnerability

Bludit CMS versions prior to 3.22.0 contain a vulnerability in their user management logic. When an administrator disables a user account, the application fails to invalidate or clear the tokenAuth and tokenRemember fields in the JSON database. This allows deactivated accounts to maintain access via persistent authentication tokens [2].

Exploitation

An attacker or revoked user with a pre-existing "Remember Me" cookie can bypass account disablement. The vulnerability lies in the disableUser() function in bl-kernel/users.class.php, which marks passwords as invalid but leaves persistent tokens in the database. The "Remember Me" feature validates users by comparing the cookie token directly against the tokenRemember field, thus ignoring the account's disabled status [2]. A Proof of Concept demonstrates a disabled user successfully publishing a post [2].

Impact

An attacker or a revoked user can bypass account deactivation by using a valid persistent cookie, maintaining unauthorized access to the application. This allows the disabled user to continue performing actions within the CMS, such as publishing content [2].

Mitigation

Bludit version 3.22.0 addresses this vulnerability by updating the disableUser() method to clear the tokenAuth and tokenRemember fields in the JSON database [1, 2]. This release was made available on 2023-08-01 [1].

References
  1. Release Bludit v3.22.0 · bludit/bludit
  2. Persistent Authentication Tokens not Revoked upon Account Disablement

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
7931d1c55a3c

fix: invalidate sessions for disabled users (GHSA-q42h-wpg8-5wwf) (#1705)

https://github.com/bludit/bluditDiego NajarMay 8, 2026Fixed in 3.22.0via llm-release-walk
commit
2 files changed · +8 0
  • bl-kernel/login.class.php+6 0 modified
    @@ -43,6 +43,12 @@ public function isLogged()
 		if (Session::get('fingerPrint') === $this->fingerPrint()) {
 			$username = Session::get('username');
 			if (!empty($username)) {
+				$userDB = $this->users->getUserDB($username);
+				if ($userDB === false || $userDB['password'] === '!') {
+					Log::set(__METHOD__ . LOG_SEP . 'User no longer exists or is disabled, destroying the session.');
+					Session::destroy();
+					return false;
+				}
 				return true;
 			} else {
 				Log::set(__METHOD__ . LOG_SEP . 'Session username empty, destroying the session.');
  • bl-kernel/users.class.php+2 0 modified
    @@ -57,6 +57,8 @@ public function exists($username)
 	public function disableUser($username)
 	{
 		$this->db[$username]['password'] = '!';
+		$this->db[$username]['tokenRemember'] = '';
+		$this->db[$username]['tokenAuth'] = $this->generateAuthToken();
 		return $this->save();
 	}

Vulnerability mechanics

Root cause

"The application fails to invalidate persistent authentication tokens when a user account is disabled."

Attack vector

An attacker with a pre-existing "Remember Me" cookie for a deactivated account can bypass the account disablement. The application's "Remember Me" feature validates users by comparing the cookie token against the tokenRemember field in the database. Since this field is not cleared when a user is disabled, the authentication subsystem incorrectly considers the session valid, allowing the disabled user to maintain an authenticated state and access the application [ref_id=1].

Affected code

The vulnerability resides in the disableUser() function within the bl-kernel/users.class.php file. This function marks the password field with '!' to prevent standard logins but fails to invalidate or clear the tokenAuth and tokenRemember fields stored in the bl-content/databases/users.php file [ref_id=1].

What the fix does

The patch updates the disableUser() method to clear the tokenAuth and tokenRemember fields in the JSON database when a user account is disabled [patch_id=5238298]. This ensures that any persistent authentication tokens associated with the account are invalidated, preventing the "Remember Me" functionality from allowing access to deactivated accounts.

Preconditions

  • authThe attacker must have a previously established persistent authentication token (e.g., a "Remember Me" cookie) for an account that is subsequently disabled.

Reproduction

1. Administrator creates two new users: 'admin2' (Admin role) and 'author' (Author role). 2. The main administrator disables both 'admin2' and 'author' accounts. 3. Technical Verification: Checking the users.php database file shows that although passwords are invalidated (marked with '!'), the tokenAuth and tokenRemember remain unchanged. 4. The disabled 'author' user successfully publishes a new post titled 'Author-Post', demonstrating continued session functionality [ref_id=1].

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.