I’m The Captain Now: Hijacking a global ocean supply chain network

Eaton • Jan 14, 2026

Key Points / Summary

• BLUVOYIX by Bluspark Global is an ocean logistics / supply chain platform used by hundreds of the world’s largest companies. The software is also used by several affiliated companies.
• Critical vulnerabilities were uncovered that enabled full platform takeover and access to all customer data/shipments. As of the date of publication, these issues are resolved.
  1. CVE-2026-22236: APIs did not check for a valid authorization token. As a result, all APIs were unauthenticated.
  2. CVE-2026-22237: Exposed API documentation. Coupled with #1, this made it possible to cause real damage easily.
  3. CVE-2026-22238: You could create your own admin account through an HTTP POST to the users API.
  4. CVE-2026-22239: Email sending code was found in client-side JS, making it possible to send official-looking phishing/malicious emails.
  5. CVE-2026-22240: Plaintext passwords. There were 3 APIs that could be used to retrieve the plaintext passwords of all accounts, including admins.
• Admin access made it possible to view, modify, and even cancel customer shipments going back to 2007.

There’s a good chance you have never heard of BLUVOYIX or Bluspark Global, and that’s ok! Not every company that powers global commerce is a household name. Despite their low profile, companies like these have an important role to play in keeping the global supply chain running in the background. Breaches at companies you haven’t heard of can often have the worst impacts.

BLUVOYIX is a SaaS platform that powers the cargo and ocean shipping/logistics industry. It is best described by this block of text from their website: A cloud-based solution that helps shippers manage their supply chain data in a frictionless, neutral environment supported by a best-in-class tech stack

There’s also this PDF that explains it in more detail. What you basically need to know is, 500 companies use it to manage their global supply chain, and the platform ran on plaintext passwords and unauthenticated APIs. Let’s dive in!

The discovery & plaintext passwords

Hacking automakers is a lot of fun, but in recent months I wanted to try branching out into a different industry to see what I could find. Searching for shipping associations and login/registration panels landed me on the joining page of a BLUVOYIX customer that uses the platform:

It’s a React JS website (my favorite!) Poking around, I found the API root. One of the first things I like to try is visiting the API root in the browser. With some luck, you can find documentation – and that was the case here!

Some juicy stuff there. The “getUserList” API stuck out:

The endpoint in the docs is invalid for some reason, but removing the port and adding HTTPS was all that was needed to make the API call work:

It just gave me the entire users list without me authenticating. Worse, there are plaintext passwords – even for the admin. After only a few minutes, I have presumably compromised the entire system.

Admin account creation

In another test, I used the create user API to create my own administrator account:

That email came in. They also provided the plaintext password there too…

From there, all you do is log in via the “NVO” portal…

And then you are in!

A look at the login

Let’s take a look at how the login works for that NVO site. When you log in via username and password, it returns a JWT. Pretty standard.

When you make an API call, that token gets sent. But it turns out it’s not even needed. If you remove it, the API goes through just the same. Oops.

First Customer

Let’s go back to that first customer now. I found the login page you presumably use after your registration is approved:

I then found the APIs it uses, and it had the same problem with public API documentation:

The get user API stuck out. Looking at the documentation, the response information indicates it would return a password if you provided a valid username and role. I wasn’t sure about the role, but finding a valid email was easy because there are a few there in the code used for client-side email sending. Yes, they were forming emails client-side to send. Do not do this!

Plugging in that email with a guessed role value yielded the password:

The account was, of course, the admin, so you had access to all customer data. Some going back to the 2000s!

At the top right, there is an account switcher where you could switch into customer tenants, and there were a lot of them. The full list of customers is not being shared.

The auth was broken here too. You can put in any Authorization header value you want, and it will never give you a 401.

Second Customer

At this point I had almost seen enough, but then tried my luck with another one of their customers using the BLUVOYIX platform.

Similar tech stack:

Same vulnerabilities:

Same takeover of all customers:

There may be other portals or shipping associations out there, but after taking over the 3 most prominent systems, that was enough to prove the impact, so I started getting the report together.

Timeline

I believed these vulnerabilities were CVE-worthy, so I submitted the details to the Maritime Hacking Village VDP, which seemed to be a perfect fit for this type of research. I heard back from them right away and they have been a pleasure to work with. If you ever find something maritime related, I can’t recommend them enough.

We attempted to contact Bluspark multiple different ways, but did not receive a substantive response until we asked a journalist for help. A prominent customer was contacted by the journalist to help escalate. Once contact was established with Bluspark, they were appreciative, responsive, and ultimately fixed all reported vulnerabilities in a timely manner.

The full timeline:

• October 9, 2025: Messages sent to Bluspark executives on LinkedIn, voicemails left on office phones.
• October 10, 2025: Called CEO again, left message. Email sent to public email listed on website.
• October 13, 2025: Called CEO again, left message. Email sent to CEO.
• October 16, 2025: Emails resent to CEO and public email.
• October 23, 2025: Attempted plea on LinkedIn. Employee of Bluspark responds via LinkedIn message.
• October 27, 2025: New email sent to Bluspark employee. CEO calls representative of Maritime Hacking Village to inquire if this is legitimate.
• October 29, 2025: Follow-up to Oct 27th email sent.
• November 3, 2025: In the initial email sent to Bluspark, we indicated the intent to disclose after 90 days in collaboration with them, or after 30 days if there is no response. In a last ditch effort to try and save their customers from a breach, a TechCrunch journalist was contacted for help.
• November 4, 2025: Bluspark customer contacted by journalist for help escalating.
• November 5, 2025: Contact finally established with Bluspark team.
• November 7, 2025: First meeting held to discuss the vulnerabilities and the timeline. The vulnerabilities were also mostly fixed today. After this date and up until January 7, 2026, there were a few more back-and-forth emails to answer questions, iron out details, etc.
• January 14, 2026: This blog and 5 CVEs published.