Cyber Resilience

CVE-2026-22236

Critical

Published: 14 January 2026

Published
14 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Red
EPSS Score 0.0047 37.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22236 is a critical-severity Improper Authentication (CWE-287) vulnerability in Blusparkglobal Bluvoyix. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-22236 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) published on 2026-01-14, affecting the BLUVOYIX platform due to improper authentication (CWE-287) in its backend APIs. This flaw allows unauthorized access through flawed authentication mechanisms in the APIs.

An unauthenticated remote attacker can exploit the vulnerability by sending specially crafted HTTP requests to the vulnerable backend APIs. Successful exploitation grants the attacker full access to customers' data and enables complete compromise of the targeted BLUVOYIX platform.

Mitigation details are available in the vendor advisory at https://blusparkglobal.com/bluvoyix/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the…

more

attacker to gain full access to customers' data and completely compromise the targeted platform.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an improper authentication flaw in public-facing backend APIs, directly enabling exploitation of a public-facing application for unauthorized access and full platform compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22237Same product: Blusparkglobal Bluvoyix
CVE-2026-22240Same product: Blusparkglobal Bluvoyix
CVE-2026-22238Same product: Blusparkglobal Bluvoyix
CVE-2026-22239Same product: Blusparkglobal Bluvoyix
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287

Affected Assets

blusparkglobal
bluvoyix
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification and authentication for non-organizational users such as customers accessing backend APIs, directly preventing unauthenticated remote exploitation of the improper authentication vulnerability.

prevent

Enforces approved authorizations for logical access to system resources including backend APIs, mitigating unauthorized data access and platform compromise resulting from flawed authentication.

prevent

Explicitly authorizes and limits actions performable without identification or authentication, preventing exposure of sensitive backend APIs to unauthenticated attackers.

References