CVE-2026-22236

Critical

Published: 14 January 2026

Published

14 January 2026

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 45.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22236 is a critical-severity Improper Authentication (CWE-287) vulnerability in Blusparkglobal Bluvoyix. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires identification and authentication for non-organizational users such as customers accessing backend APIs, directly preventing unauthenticated remote exploitation of the improper authentication vulnerability.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to system resources including backend APIs, mitigating unauthorized data access and platform compromise resulting from flawed authentication.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly authorizes and limits actions performable without identification or authentication, preventing exposure of sensitive backend APIs to unauthenticated attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an improper authentication flaw in public-facing backend APIs, directly enabling exploitation of a public-facing application for unauthorized access and full platform compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the…

attacker to gain full access to customers' data and completely compromise the targeted platform.

Deeper analysisAI

CVE-2026-22236 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) published on 2026-01-14, affecting the BLUVOYIX platform due to improper authentication (CWE-287) in its backend APIs. This flaw allows unauthorized access through flawed authentication mechanisms in the APIs.

An unauthenticated remote attacker can exploit the vulnerability by sending specially crafted HTTP requests to the vulnerable backend APIs. Successful exploitation grants the attacker full access to customers' data and enables complete compromise of the targeted BLUVOYIX platform.

Mitigation details are available in the vendor advisory at https://blusparkglobal.com/bluvoyix/.