Cyber Posture

CVE-2026-22237

Critical

Published: 14 January 2026

Published
14 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0056 68.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22237 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Blusparkglobal Bluvoyix. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SC-14 (Public Access Protections).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-22 Publicly Accessible Content good match
prevent

Directly requires organizations to review, approve, and manage publicly accessible content to prevent exposure of sensitive internal API documentation.

SC-14 Public Access Protections good match
prevent

Provides protections for information accessible from public networks, directly addressing risks from exposed sensitive API documentation.

SC-7 Boundary Protection partial match
preventdetect

Monitors and controls communications at system boundaries to block exploitation of internal APIs via crafted HTTP requests informed by the exposed documentation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Vulnerability exposes sensitive internal API documentation, allowing unauthenticated remote attackers to send crafted HTTP requests to abuse public-facing APIs, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The vulnerability exists in BLUVOYIX due to the exposure of sensitive internal API documentation. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the APIs exposed by the documentation. Successful exploitation of this vulnerability…

more

could allow the attacker to cause damage to the targeted platform by abusing internal functionality.

Deeper analysisAI

CVE-2026-22237 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) published on 2026-01-14, affecting BLUVOYIX. It arises from the exposure of sensitive internal API documentation (CWE-200), which reveals details about internal APIs that should not be publicly accessible.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity by sending specially crafted HTTP requests to the APIs exposed through the documentation. Successful exploitation enables the attacker to abuse internal functionality, resulting in high-impact damage to the targeted platform across confidentiality, integrity, and availability.

Mitigation guidance is available in the vendor advisory at https://blusparkglobal.com/bluvoyix/.

Details

CWE(s)
CWE-200

Affected Products

blusparkglobal
bluvoyix
all versions

CVEs Like This One

CVE-2026-22236Same product: Blusparkglobal Bluvoyix
CVE-2026-22240Same product: Blusparkglobal Bluvoyix
CVE-2026-22238Same product: Blusparkglobal Bluvoyix
CVE-2025-22828Shared CWE-200
CVE-2026-40584Shared CWE-200
CVE-2026-31837Shared CWE-200
CVE-2025-67274Shared CWE-200
CVE-2025-27615Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2024-13796Shared CWE-200

References