CVE-2026-22240
Published: 14 January 2026
Summary
CVE-2026-22240 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Blusparkglobal Bluvoyix. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Encrypting or otherwise protecting data at rest directly prevents unauthorized actors from reading sensitive information stored on disk or other media.
Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.
Retaining and monitoring training records confirms personnel have completed privacy and security awareness training on handling sensitive data, reducing the chance of unauthorized exposure due to lack of knowledge.
A data action map identifies locations where sensitive information may be exposed to unauthorized actors during processing or transfer.
The media protection policy defines requirements and procedures to prevent unauthorized disclosure or access to sensitive information on media.
Out-of-band delivery transmits sensitive data on a separate path, directly reducing exposure to unauthorized actors on the primary channel.
Directly prevents exposure of critical organizational information by applying OPSEC processes across the SDLC.
Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated API exposure of plaintext credentials on public-facing app enables T1190 exploitation and T1552 unsecured credential access.
NVD Description
The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the…
more
plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password.
Deeper analysisAI
CVE-2026-22240 is a vulnerability in BLUVOYIX caused by improper password storage implementation and subsequent exposure via unauthenticated APIs. The affected component is the users API, where plaintext passwords of all users are retrievable. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWEs-200 (Exposure of Sensitive Information), CWE-312 (Cleartext Storage of Sensitive Information), and CWE-522 (Insufficiently Protected Credentials).
An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API, allowing retrieval of plaintext passwords for all users, including admin accounts. Successful exploitation enables the attacker to log in using exposed admin email addresses and passwords, resulting in full access to customers' data and complete compromise of the targeted platform.
For additional details, refer to the reference at https://blusparkglobal.com/bluvoyix/.
Details
- CWE(s)