CVE-2026-46656 Overview
CVE-2026-46656 is a Broken Access Control vulnerability [CWE-285] in Bludit, an open-source flat-file content management system (CMS). Versions prior to 3.22.0 fail to invalidate active sessions when a user account is deleted from the database. The application treats these orphaned "Ghost Sessions" as valid, allowing revoked users to retain full authenticated access. An attacker with a previously issued session token can continue to interact with the administrative interface after their account has been removed. Bludit version 3.22.0 resolves the issue.
Critical Impact
Deleted user accounts retain full administrative access through persistent session tokens, enabling unauthorized content modification, privilege abuse, and data exposure.
Affected Products
- Bludit CMS versions prior to 3.22.0
- Bludit administrative panel and session management subsystem
- Self-hosted Bludit deployments using default authentication
Discovery Timeline
- 2026-06-08 - CVE-2026-46656 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46656
Vulnerability Analysis
The vulnerability resides in Bludit's session management workflow. When an administrator removes a user account through the admin panel, the application deletes the user record from the underlying flat-file database. However, the session store retains the corresponding session entries and continues to authenticate requests presenting those tokens.
The issue is classified under [CWE-285: Improper Authorization]. Bludit verifies session validity by checking token existence rather than reconciling the session against current user state. Because the link between session and user identity is not re-validated on each request, the revoked user remains effectively authenticated until the session expires naturally.
The fix in version 3.22.0 introduces server-side session invalidation when a user is deleted, removing the stale session records and breaking the authentication chain for the removed account.
Root Cause
The root cause is a missing authorization check that ties session lifecycle to user lifecycle. Bludit's authentication layer trusts any existing session token without verifying that the associated user account still exists or remains active. This design omission allows session persistence beyond account deletion.
Attack Vector
Exploitation requires that an attacker previously held a valid Bludit account, either as a legitimate user or through compromise of credentials. After the administrator deletes the account intending to revoke access, the attacker continues to send authenticated requests using the cached session cookie. The attacker can then perform any action permitted by the deleted account's prior role, including modifying posts, uploading files, or accessing administrative endpoints. Technical details are available in the Bludit Security Advisory GHSA-rpq2-j9w3-h4jw and the remediation commit.
Detection Methods for CVE-2026-46656
Indicators of Compromise
- Authenticated HTTP requests to /admin endpoints originating from session cookies associated with user accounts that no longer exist in the Bludit users.php database file.
- Content modifications, post edits, or file uploads attributed to deleted usernames in Bludit logs.
- Session cookies remaining valid after administrative user deletion events.
Detection Strategies
- Correlate Bludit access logs with the user deletion audit trail to identify activity timestamps occurring after an account removal.
- Compare active session identifiers in the bl-content/workspaces/sessions/ directory against the current user list to surface orphaned sessions.
- Monitor for unexpected administrative actions performed by usernames that have been removed from the system.
Monitoring Recommendations
- Enable verbose access logging on the Bludit admin interface and forward logs to a centralized SIEM for retention and correlation.
- Alert on any successful authentication event referencing a username absent from the current users.php configuration.
- Track session file creation and modification timestamps to detect long-lived sessions surviving user removal operations.
How to Mitigate CVE-2026-46656
Immediate Actions Required
- Upgrade Bludit to version 3.22.0 or later, which invalidates sessions upon user deletion. The release is available on the Bludit 3.22.0 Release page.
- Manually purge the bl-content/workspaces/sessions/ directory after upgrading to terminate any pre-existing Ghost Sessions.
- Force all remaining users to re-authenticate by rotating credentials for active administrative accounts.
Patch Information
The fix is delivered in Bludit 3.22.0 via commit 7931d1c55a3cc535911a9901c328f0197afe1c9f. The patch ensures the session store is updated when a user is deleted, removing the authorization gap. Administrators running any version prior to 3.22.0 should apply the update immediately. Refer to the GitHub commit for implementation details.
Workarounds
- Manually delete the contents of the bl-content/workspaces/sessions/ directory immediately after removing any user account on unpatched instances.
- Restrict access to the Bludit admin interface using network-level controls such as IP allowlisting or a reverse-proxy authentication layer.
- Shorten the session lifetime configuration in Bludit so that orphaned sessions expire quickly on systems that cannot be upgraded immediately.
# Configuration example: purge stale Bludit sessions after user deletion
rm -f /var/www/bludit/bl-content/workspaces/sessions/*.php
systemctl reload php-fpm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
