CRITICAL🇵🇱 Wersja polska

CVE-2026-22236

CVSS 10.0v4.0pub. 2026-01-14upd. 2026-02-02

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform.

🤖 AI Analysis
How it works

The vulnerability stems from an improper authentication mechanism (CWE-287) in the BLUVOYIX system's backend APIs. An attacker can exploit it by sending specially crafted HTTP requests directly to vulnerable API endpoints. Because the authentication mechanism is flawed, such requests are accepted and processed without verifying the sender's identity. The attack does not require possession of any credentials or user interaction.

Impact

An attacker can gain full access to data of all clients stored on the platform and completely compromise the target system, including its resources and integrity.

Mitigation & patch

Apply patches available from the manufacturer in accordance with references. As a temporary measure, it is recommended to restrict access to BLUVOYIX backend APIs at the firewall level to trusted sources only and monitor logs for unauthorized API requests.

Who is affected

Blusparkglobal BLUVOYIX platform — versions specified in manufacturer's references.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Red
  • Blusparkglobal Bluvoyix

    APP
    Blusparkglobal
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-22237CRITICAL10.0PL ✓ten sam produkt

Ujawnienie wewnętrznej dokumentacji API w Blusparkglobal BLUVOYIX

CVE-2026-22238CRITICAL10.0PL ✓ten sam produkt

Brak uwierzytelnienia w admin API Blusparkglobal BLUVOYIX — pełne przejęcie platformy

CVE-2026-22239CRITICAL10.0PL ✓ten sam produkt

Blusparkglobal Bluvoyix — niekontrolowane wysyłanie e-maili przez API

CVE-2026-22240CRITICAL10.0PL ✓ten sam produkt

BLUVOYIX: ujawnienie haseł w postaci jawnej przez nieuwierzytelnione API