Cyber Resilience

CVE-2026-22237

Critical

Published: 14 January 2026

Published
14 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Amber
EPSS Score 0.0042 33.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22237 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Blusparkglobal Bluvoyix. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2026-22237 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) published on 2026-01-14, affecting BLUVOYIX. It arises from the exposure of sensitive internal API documentation (CWE-200), which reveals details about internal APIs that should not be publicly accessible.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity by sending specially crafted HTTP requests to the APIs exposed through the documentation. Successful exploitation enables the attacker to abuse internal functionality, resulting in high-impact damage to the targeted platform across confidentiality, integrity, and availability.

Mitigation guidance is available in the vendor advisory at https://blusparkglobal.com/bluvoyix/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The vulnerability exists in BLUVOYIX due to the exposure of sensitive internal API documentation. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the APIs exposed by the documentation. Successful exploitation of this vulnerability…

more

could allow the attacker to cause damage to the targeted platform by abusing internal functionality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability exposes sensitive internal API documentation, allowing unauthenticated remote attackers to send crafted HTTP requests to abuse public-facing APIs, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22236Same product: Blusparkglobal Bluvoyix
CVE-2026-22240Same product: Blusparkglobal Bluvoyix
CVE-2026-22238Same product: Blusparkglobal Bluvoyix
CVE-2026-22239Same product: Blusparkglobal Bluvoyix
CVE-2026-34297Shared CWE-200
CVE-2025-22918Shared CWE-200
CVE-2026-2262Shared CWE-200
CVE-2026-23659Shared CWE-200
CVE-2026-24498Shared CWE-200
CVE-2026-32098Shared CWE-200

Affected Assets

blusparkglobal
bluvoyix
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires organizations to review, approve, and manage publicly accessible content to prevent exposure of sensitive internal API documentation.

prevent

Provides protections for information accessible from public networks, directly addressing risks from exposed sensitive API documentation.

preventdetect

Monitors and controls communications at system boundaries to block exploitation of internal APIs via crafted HTTP requests informed by the exposed documentation.

References