Cyber Resilience

CVE-2026-22240

Critical

Published: 14 January 2026

Published
14 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Red
EPSS Score 0.0300 85.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22240 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Blusparkglobal Bluvoyix. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-22240 is a vulnerability in BLUVOYIX caused by improper password storage implementation and subsequent exposure via unauthenticated APIs. The affected component is the users API, where plaintext passwords of all users are retrievable. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWEs-200 (Exposure of Sensitive Information), CWE-312 (Cleartext Storage of Sensitive Information), and CWE-522 (Insufficiently Protected Credentials).

An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API, allowing retrieval of plaintext passwords for all users, including admin accounts. Successful exploitation enables the attacker to log in using exposed admin email addresses and passwords, resulting in full access to customers' data and complete compromise of the targeted platform.

For additional details, refer to the reference at https://blusparkglobal.com/bluvoyix/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the…

more

plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Direct unauthenticated API exposure of plaintext credentials on public-facing app enables T1190 exploitation and T1552 unsecured credential access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22237Same product: Blusparkglobal Bluvoyix
CVE-2026-22236Same product: Blusparkglobal Bluvoyix
CVE-2026-22238Same product: Blusparkglobal Bluvoyix
CVE-2026-22239Same product: Blusparkglobal Bluvoyix
CVE-2026-32633Shared CWE-200, CWE-522
CVE-2026-25146Shared CWE-200
CVE-2024-56902Shared CWE-200
CVE-2024-48125Shared CWE-200
CVE-2025-55190Shared CWE-200
CVE-2026-35467Shared CWE-522

Affected Assets

blusparkglobal
bluvoyix
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires management and protection of authenticators including passwords from unauthorized disclosure, directly addressing cleartext storage and exposure in the users API.

prevent

SC-28 mandates cryptographic protection of sensitive information at rest, preventing plaintext password storage that enables retrieval via the vulnerable API.

prevent

AC-3 enforces approved access authorizations, blocking unauthenticated HTTP requests to the users API that expose plaintext passwords.

References