CVE-2026-22236

Critical

Published: 14 January 2026

Published

14 January 2026

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0024 47.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the…

attacker to gain full access to customers' data and completely compromise the targeted platform.

Mitigating Controls (NIST 800-53 r5)AI

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires identification and authentication for non-organizational users such as customers accessing backend APIs, directly preventing unauthenticated remote exploitation of the improper authentication vulnerability.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to system resources including backend APIs, mitigating unauthorized data access and platform compromise resulting from flawed authentication.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly authorizes and limits actions performable without identification or authentication, preventing exposure of sensitive backend APIs to unauthenticated attackers.

Security SummaryAI

CVE-2026-22236 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) published on 2026-01-14, affecting the BLUVOYIX platform due to improper authentication (CWE-287) in its backend APIs. This flaw allows unauthorized access through flawed authentication mechanisms in the APIs.

An unauthenticated remote attacker can exploit the vulnerability by sending specially crafted HTTP requests to the vulnerable backend APIs. Successful exploitation grants the attacker full access to customers' data and enables complete compromise of the targeted BLUVOYIX platform.

Mitigation details are available in the vendor advisory at https://blusparkglobal.com/bluvoyix/.

Details

CWE(s): CWE-287

Affected Products

blusparkglobal

bluvoyix

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an improper authentication flaw in public-facing backend APIs, directly enabling exploitation of a public-facing application for unauthorized access and full platform compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://blusparkglobal.com/bluvoyix/
Product · 56a186b1-7f5e-4314-ba38-38d5499fccfd