CVE-2026-22240
Published: 14 January 2026
Summary
CVE-2026-22240 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Blusparkglobal Bluvoyix. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2026-22240 is a vulnerability in BLUVOYIX caused by improper password storage implementation and subsequent exposure via unauthenticated APIs. The affected component is the users API, where plaintext passwords of all users are retrievable. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWEs-200 (Exposure of Sensitive Information), CWE-312 (Cleartext Storage of Sensitive Information), and CWE-522 (Insufficiently Protected Credentials).
An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API, allowing retrieval of plaintext passwords for all users, including admin accounts. Successful exploitation enables the attacker to log in using exposed admin email addresses and passwords, resulting in full access to customers' data and complete compromise of the targeted platform.
For additional details, refer to the reference at https://blusparkglobal.com/bluvoyix/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2469
Vulnerability details
The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the…
more
plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated API exposure of plaintext credentials on public-facing app enables T1190 exploitation and T1552 unsecured credential access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires management and protection of authenticators including passwords from unauthorized disclosure, directly addressing cleartext storage and exposure in the users API.
SC-28 mandates cryptographic protection of sensitive information at rest, preventing plaintext password storage that enables retrieval via the vulnerable API.
AC-3 enforces approved access authorizations, blocking unauthenticated HTTP requests to the users API that expose plaintext passwords.