CVE-2026-59255: Missing Authorization in BloodHound Custom Node API
An authenticated attacker can exploit CVE-2026-59255, a missing authorization vulnerability in BloodHound versions through 9.4.0's custom-nodes API endpoints, to modify the global graph schema by creating, updating, or deleting custom node types, affecting all users and tenants.
CVE-2026-59255 details a critical missing authorization vulnerability affecting BloodHound versions through 9.4.0. This flaw, fixed in commit 8f79035, exists within the custom-nodes API endpoints. Any authenticated user, regardless of their intended privilege level, can exploit this vulnerability to modify the global graph schema. By simply possessing a valid session token, attackers can invoke unprotected POST, PUT, and DELETE operations on these endpoints. This allows them to create, update, or delete custom node types, which globally impacts all users and tenants within the BloodHound environment. The vulnerability stems from an improper access control check, enabling unauthorized privilege escalation for sensitive configuration changes. This can lead to data integrity issues, operational disruption, or further reconnaissance advantages for an attacker.
Attack Chain
- An attacker first obtains a valid session token for any authenticated BloodHound user, potentially through credential compromise or legitimate login.
- The attacker identifies the vulnerable
custom-nodesAPI endpoints, which lack proper authorization checks for schema modification. - Using the valid session token, the attacker crafts and sends unprotected POST, PUT, or DELETE HTTP requests to these
custom-nodesAPI endpoints. - The BloodHound application processes these requests without verifying the user's authorization to modify global schema elements.
- The attacker successfully manipulates the global graph schema by creating, updating, or deleting custom node types.
- The modified schema is then propagated across the BloodHound environment, affecting all users and tenants.
Impact
Successful exploitation of CVE-2026-59255 can lead to severe data integrity issues and operational disruption within BloodHound environments. An attacker can create arbitrary custom node types, potentially introducing malicious entities or misleading information into the graph. They can also modify existing critical schema definitions, corrupting the foundational structure of the BloodHound data, or delete essential custom node types, leading to significant data loss or rendering parts of the BloodHound analysis inoperable for all users and tenants. While no specific victim counts are provided, any organization utilizing affected BloodHound versions is vulnerable to this type of schema tampering, which can impede security investigations and undermine the platform's reliability.
Recommendation
- Upgrade BloodHound to a version that includes the fix provided by commit
8f79035. - Monitor BloodHound application logs for unusual or unauthorized modification attempts to schema-related API endpoints (e.g.,
custom-nodesAPI) by non-administrator accounts. - Implement strong authentication and session management practices to prevent attackers from easily obtaining
valid session tokensfor BloodHound users.