CVE-2026-38329: Bludit CMS RCE Vulnerability

CVE-2026-38329 Overview

CVE-2026-38329 is a Remote Code Execution (RCE) vulnerability in Bludit CMS versions prior to 3.18.4. The flaw resides in the API Plugin, specifically the POST /api/files/{key} endpoint defined in bl-plugins/api/plugin.php. The endpoint fails to enforce authorization checks and does not validate file extensions during upload. An attacker holding a valid API token can upload a malicious PHP script and execute arbitrary code on the underlying web server. The weakness is classified under [CWE-862] Missing Authorization.

Critical Impact
Authenticated attackers with API token access can upload PHP webshells and achieve full remote code execution on the host running Bludit CMS.

Affected Products

Bludit CMS versions prior to 3.18.4
Bludit API Plugin (bl-plugins/api/plugin.php)
Any deployment exposing the /api/files/{key} endpoint

Discovery Timeline

2026-06-15 - CVE-2026-38329 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-38329

Vulnerability Analysis

The vulnerability exists in the file upload handler exposed by the Bludit API Plugin. The POST /api/files/{key} route accepts file uploads but omits two critical security controls. First, the endpoint does not verify that the API token holder has permission to write executable content. Second, the handler does not enforce a file extension allowlist or MIME type check before persisting uploaded files to a web-accessible directory. Bludit stores uploaded files inside paths served directly by the web server, allowing PHP files to be interpreted by the runtime.

The EPSS score is 0.504% with a percentile of 39.06, indicating moderate near-term exploitation likelihood as of June 2026.

Root Cause

The root cause is a Missing Authorization weakness combined with insufficient input validation. The file upload routine in bl-plugins/api/plugin.php trusts API token possession as a proxy for full administrative privilege. It also accepts any file extension, including .php, .phtml, and .phar. These conditions allow a low-privileged token holder to plant server-side executable content.

Attack Vector

An attacker first obtains or coerces a valid Bludit API token. The attacker then issues an HTTP POST request to /api/files/{key} containing a PHP payload as the uploaded file. The server stores the file under a public path, after which the attacker requests the file URL to trigger PHP execution. The result is arbitrary code execution under the privileges of the web server process. No user interaction is required and the attack is performed remotely over the network.

A proof-of-concept describing the request flow is referenced in the GitHub Gist PoC.

Detection Methods for CVE-2026-38329

Indicators of Compromise

POST requests to /api/files/{key} containing payloads with PHP-related extensions such as .php, .phtml, .phar, or .php5.
New or unexpected files appearing in Bludit upload directories with server-executable extensions.
Outbound network connections initiated by the PHP-FPM or web server process shortly after file upload activity.
Web server access logs showing GET requests to recently uploaded files in the Bludit bl-content/uploads/ path.

Detection Strategies

Inspect HTTP request bodies hitting the /api/files/ API path for filenames ending in scripting extensions.
Alert on creation of executable file types inside any directory mapped to PHP interpretation under the Bludit installation.
Correlate API token use with subsequent process creation events such as sh, bash, or php spawning unusual child processes.

Monitoring Recommendations

Forward Bludit web server access and error logs to a centralized log platform for retention and query.
Monitor process lineage on the web server host for PHP processes spawning shells, network utilities, or download tools.
Track API token usage patterns and flag tokens that perform file uploads outside expected administrative workflows.

How to Mitigate CVE-2026-38329

Immediate Actions Required

Upgrade Bludit CMS to version 3.18.4 or later, which adds authorization checks and extension validation to the API file upload endpoint.
Rotate all existing Bludit API tokens to invalidate any credentials that may have been exposed.
Audit the bl-content/uploads/ directory and remove any unrecognized PHP or script files.
Restrict network access to administrative and API endpoints using a reverse proxy allowlist.

Patch Information

The vendor fix is included in Bludit CMS 3.18.4. The patch introduces authorization verification on POST /api/files/{key} and rejects uploads with disallowed file extensions. Administrators running any release earlier than 3.18.4 should upgrade immediately. Refer to the GitHub Gist PoC for technical request details that informed the fix.

Workarounds

Disable the Bludit API Plugin until the upgrade can be applied if the plugin is not required for operations.
Configure the web server to deny PHP execution inside bl-content/uploads/ using location or directory rules in nginx or Apache.
Place a web application firewall rule in front of /api/files/ to block requests whose multipart filename ends in executable extensions.

bash

# Example nginx rule preventing PHP execution in upload directory
location ^~ /bl-content/uploads/ {
    location ~ \.(php|phtml|phar|php5)$ {
        deny all;
        return 403;
    }
}