CVE-2026-22238 | The vulnerability exists in BLUVOYIX due to improper authent… | CVSS 10.0 CRITICAL

Description

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in to the newly-created admin user.

Metadata

CVE ID: CVE-2026-22238
State: PUBLISHED
Assigner: MHV
Reserved: 2026-01-06 23:20 UTC
Published: 2026-01-14 14:38 UTC
Last updated: 2026-01-14 15:00 UTC
Primary CWE: CWE-306
CWE-306 Missing Authentication for Critical Function
Vendor / Product: Bluspark Global / BLUVOYIX
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/RE:H/U:Red

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Bluspark Global	BLUVOYIX	—	—

Weakness (CWE)

CWE	Source	Description
CWE-269	cna	CWE-269 Improper Privilege Management
CWE-306	cna	CWE-306 Missing Authentication for Critical Function

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/RE:H/U:Red

References (1)

https://blusparkglobal.com/bluvoyix/