CVE-2026-22238

Critical

Published: 14 January 2026

Published

14 January 2026

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0024 47.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin…

privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in to the newly-created admin user.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to the admin API, preventing unauthenticated attackers from sending requests to create admin users.

AC-2 Account Management good match

prevent

AC-2 manages system accounts by requiring approval and oversight for creation of privileged accounts, directly countering unauthorized admin user creation via the vulnerable API.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

IA-2 requires identification and authentication for organizational users and processes, ensuring the admin API cannot be accessed without proper credentials.

Security SummaryAI

CVE-2026-22238 is a high-severity vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in BLUVOYIX, caused by improper authentication in the BLUVOYIX admin APIs (associated with CWE-269: Improper Privilege Management and CWE-306: Missing Authentication for Critical Function). The issue allows exploitation through the admin APIs without requiring prior credentials.

An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API, enabling the creation of a new user account with administrative privileges. Successful exploitation grants the attacker full access to customers' data and allows complete compromise of the targeted BLUVOYIX platform, as the attacker can log in using the newly created admin user.

Mitigation details are available in the vendor advisory at https://blusparkglobal.com/bluvoyix/.

Details

CWE(s): CWE-269 CWE-306

Affected Products

blusparkglobal

bluvoyix

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1136 Create Account Persistence

Adversaries may create an account to maintain access to victim systems.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated remote exploitation of public-facing admin APIs (T1190) to create administrative user accounts (T1136), granting full platform compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://blusparkglobal.com/bluvoyix/
Product · 56a186b1-7f5e-4314-ba38-38d5499fccfd