{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/bloodhound--9.4.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-59255"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BloodHound (\u003c= 9.4.0)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","bloodhound","authorization","api-exploitation"],"_cs_type":"advisory","_cs_vendors":["SpecterOps"],"content_html":"\u003cp\u003eCVE-2026-59255 details a critical missing authorization vulnerability affecting BloodHound versions through 9.4.0. This flaw, fixed in commit 8f79035, exists within the \u003ccode\u003ecustom-nodes\u003c/code\u003e API endpoints. Any authenticated user, regardless of their intended privilege level, can exploit this vulnerability to modify the global graph schema. By simply possessing a valid session token, attackers can invoke unprotected POST, PUT, and DELETE operations on these endpoints. This allows them to create, update, or delete custom node types, which globally impacts all users and tenants within the BloodHound environment. The vulnerability stems from an improper access control check, enabling unauthorized privilege escalation for sensitive configuration changes. This can lead to data integrity issues, operational disruption, or further reconnaissance advantages for an attacker.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker first obtains a valid session token for any authenticated BloodHound user, potentially through credential compromise or legitimate login.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the vulnerable \u003ccode\u003ecustom-nodes\u003c/code\u003e API endpoints, which lack proper authorization checks for schema modification.\u003c/li\u003e\n\u003cli\u003eUsing the valid session token, the attacker crafts and sends unprotected POST, PUT, or DELETE HTTP requests to these \u003ccode\u003ecustom-nodes\u003c/code\u003e API endpoints.\u003c/li\u003e\n\u003cli\u003eThe BloodHound application processes these requests without verifying the user's authorization to modify global schema elements.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully manipulates the global graph schema by creating, updating, or deleting custom node types.\u003c/li\u003e\n\u003cli\u003eThe modified schema is then propagated across the BloodHound environment, affecting all users and tenants.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-59255 can lead to severe data integrity issues and operational disruption within BloodHound environments. An attacker can create arbitrary custom node types, potentially introducing malicious entities or misleading information into the graph. They can also modify existing critical schema definitions, corrupting the foundational structure of the BloodHound data, or delete essential custom node types, leading to significant data loss or rendering parts of the BloodHound analysis inoperable for all users and tenants. While no specific victim counts are provided, any organization utilizing affected BloodHound versions is vulnerable to this type of schema tampering, which can impede security investigations and undermine the platform's reliability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade BloodHound to a version that includes the fix provided by commit \u003ccode\u003e8f79035\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor BloodHound application logs for unusual or unauthorized modification attempts to schema-related API endpoints (e.g., \u003ccode\u003ecustom-nodes\u003c/code\u003e API) by non-administrator accounts.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication and session management practices to prevent attackers from easily obtaining \u003ccode\u003evalid session tokens\u003c/code\u003e for BloodHound users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T18:24:51Z","date_published":"2026-07-15T18:24:51Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59255-bloodhound-authz/","summary":"An authenticated attacker can exploit CVE-2026-59255, a missing authorization vulnerability in BloodHound versions through 9.4.0's custom-nodes API endpoints, to modify the global graph schema by creating, updating, or deleting custom node types, affecting all users and tenants.","title":"CVE-2026-59255: Missing Authorization in BloodHound Custom Node API","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59255-bloodhound-authz/"}],"language":"en","title":"CraftedSignal Threat Feed - BloodHound (\u003c= 9.4.0)","version":"https://jsonfeed.org/version/1.1"}