Deactivated User Accounts Retain Authentication Access

Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear the associated tokenAuth and tokenRemember fields in the JSON database. Consequently, any user with a pre-existing "Remember Me" cookie can bypass the account disablement and maintain a valid authenticated state. Version 3.22.0 patches the issue.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

Bludit CMS versions before 3.22.0 contain a critical flaw in user account lifecycle management where disabled user accounts remain accessible through persistent authentication tokens. When administrators deactivate users, the application fails to invalidate tokenAuth and tokenRemember fields stored in the JSON database, allowing attackers with previously-issued "Remember Me" cookies to maintain valid authentication sessions indefinitely. This affects any Bludit deployment where user account disablement is relied upon as a security control, creating a persistent backdoor for terminated employees, compromised accounts, or malicious actors who obtained valid cookies before account suspension.

Casky's 261 mapped skills leverage Claude's extended reasoning to correlate token persistence patterns with MITRE ATT&CK's Initial Access (TA0004) and Persistence (TA0006) techniques. Practitioners using Casky would observe detections flagging: (1) authentication events from disabled user accounts, (2) token validation failures that don't trigger account lockouts, and (3) cookie-based access patterns that bypass normal account status checks. The platform's skill set helps identify suspicious gaps where account disablement events don't correlate with session termination, revealing the exact CWE-212 (Improper Cross-boundary Removal of Sensitive Data) and CWE-613 (Insufficient Session Expiration) weaknesses in real environment data.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-46657.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-46657

Casky has 261 skills that investigate the attack patterns behind CVE-2026-46657. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn