Back to overview

CVE-2026-59255

HIGH Exploitation: PoC
7.1
CVSS 3.1
Description
BloodHound through 9.4.0, fixed in commit 8f79035, contains a missing authorization vulnerability in the custom-nodes API endpoints that allows any authenticated user to modify the global graph schema. Attackers with valid session tokens can create, update, or delete custom node types affecting all users and tenants by invoking unprotected POST, PUT, and DELETE operations on the custom-nodes endpoints.

Metadata

CVE ID
CVE-2026-59255
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-04 12:17 UTC
Published
2026-07-15 17:03 UTC
Last updated
2026-07-15 18:04 UTC
Primary CWE
CWE-862
Missing Authorization
Vendor / Product
SpecterOps / BloodHound
Sources
cve.org  ·  NVD

Severity & Metrics

7.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
SpecterOps BloodHound 0 ≤ 9.4.0, 8f790351349fd87bcb04377aba84cba6495825b3
Weakness (CWE)
CWESourceDescription
CWE-862 cna Missing Authorization
CVSS scores (2)
ScoreSeverityVersionSourceVector
7.1 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
7.1 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Back to overview