CRITICAL🇵🇱 Wersja polska

CVE-2026-22238

CVSS 10.0v4.0pub. 2026-01-14upd. 2026-02-02

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in to the newly-created admin user.

🤖 AI Analysis
How it works

An attacker sends specially crafted HTTP requests to vulnerable admin API endpoints without needing to possess any authentication credentials. As a result, it is possible to create a new user with administrator privileges. After creating such an account, the attacker logs into it and gains full access to the platform and client data. The vulnerability results from the lack of authentication mechanism (CWE-306) and improper privilege management (CWE-269) within the admin API.

Impact

An attacker can gain full access to data of all clients and completely take over control of the BLUVOYIX platform, including managing its configuration and users with administrator privilege level.

Mitigation & patch

Apply patches available from the vendor according to the references. Until the patch is implemented, it is recommended to block access to admin API endpoints at the firewall or network level, so they are accessible only from trusted IP addresses.

Who is affected

Blusparkglobal's BLUVOYIX product — versions indicated in the vendor's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:H/U:Red
  • Blusparkglobal Bluvoyix

    APP
    Blusparkglobal
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-22236CRITICAL10.0PL ✓ten sam produkt

Pominięcie uwierzytelnienia w Blusparkglobal BLUVOYIX (Auth Bypass)

CVE-2026-22237CRITICAL10.0PL ✓ten sam produkt

Ujawnienie wewnętrznej dokumentacji API w Blusparkglobal BLUVOYIX

CVE-2026-22239CRITICAL10.0PL ✓ten sam produkt

Blusparkglobal Bluvoyix — niekontrolowane wysyłanie e-maili przez API

CVE-2026-22240CRITICAL10.0PL ✓ten sam produkt

BLUVOYIX: ujawnienie haseł w postaci jawnej przez nieuwierzytelnione API