CVE-2026-22238
Published: 14 January 2026
Summary
CVE-2026-22238 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Blusparkglobal Bluvoyix. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for access to the admin API, preventing unauthenticated attackers from sending requests to create admin users.
AC-2 manages system accounts by requiring approval and oversight for creation of privileged accounts, directly countering unauthorized admin user creation via the vulnerable API.
IA-2 requires identification and authentication for organizational users and processes, ensuring the admin API cannot be accessed without proper credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote exploitation of public-facing admin APIs (T1190) to create administrative user accounts (T1136), granting full platform compromise.
NVD Description
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin…
more
privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in to the newly-created admin user.
Deeper analysisAI
CVE-2026-22238 is a high-severity vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in BLUVOYIX, caused by improper authentication in the BLUVOYIX admin APIs (associated with CWE-269: Improper Privilege Management and CWE-306: Missing Authentication for Critical Function). The issue allows exploitation through the admin APIs without requiring prior credentials.
An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API, enabling the creation of a new user account with administrative privileges. Successful exploitation grants the attacker full access to customers' data and allows complete compromise of the targeted BLUVOYIX platform, as the attacker can log in using the newly created admin user.
Mitigation details are available in the vendor advisory at https://blusparkglobal.com/bluvoyix/.
Details
- CWE(s)