{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-67259", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-24T17:58:28.632Z", "dateReserved": "2025-12-08T00:00:00.000Z", "datePublished": "2026-04-24T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-24T15:18:31.971Z"}, "descriptions": [{"lang": "en", "value": "A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged \"student\" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://drive.google.com/file/d/1G_IjEURNBcaSmBo4FdOo_27q-4H9MV34/view?usp=drive_link"}, {"url": "https://github.com/classroomio/classroomio/issues/642"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "CWE-285 Improper Authorization"}]}], "references": [{"url": "https://github.com/classroomio/classroomio/issues/642", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T17:52:32.475728Z", "id": "CVE-2025-67259", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T17:58:28.632Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-67259", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-24T17:58:28.632Z", "dateReserved": "2025-12-08T00:00:00.000Z", "datePublished": "2026-04-24T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-24T15:18:31.971Z"}, "descriptions": [{"lang": "en", "value": "A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged \"student\" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://drive.google.com/file/d/1G_IjEURNBcaSmBo4FdOo_27q-4H9MV34/view?usp=drive_link"}, {"url": "https://github.com/classroomio/classroomio/issues/642"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67259", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T17:52:32.475728Z"}}}], "references": [{"url": "https://github.com/classroomio/classroomio/issues/642", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T17:57:12.741Z"}}]}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged \"student\" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata."}], "id": "CVE-2025-67259", "lastModified": "2026-04-24T18:16:23.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-24T16:16:23.907", "references": [{"source": "cve@mitre.org", "url": "https://drive.google.com/file/d/1G_IjEURNBcaSmBo4FdOo_27q-4H9MV34/view?usp=drive_link"}, {"source": "cve@mitre.org", "url": "https://github.com/classroomio/classroomio/issues/642"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/classroomio/classroomio/issues/642"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-285"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.13"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "classroomio", "vendor": "classroomio"}], "analysis": {"en": {"generated_at": "2026-04-28T07:10:45.574349+00:00", "value": {"mitigation_remediation": ["Upgrade ClassroomIO to a patched version that restricts GET access on the /rest/v1/course endpoint to authorized roles \u2013 for example, upgrade to v0.1.14 or later if available.", "Reconfigure the PostgREST service or the application\u2019s routing logic so that only POST requests are accepted on /rest/v1/course for student users, or add explicit authorization checks to ensure that only users with the correct permissions can retrieve course data.", "Implement network monitoring and enforcement of TLS to detect and block abnormal GET requests to /rest/v1/course and to prevent interception of requests by attackers."], "summary": {"action": "Patch", "impact": "Unauthorized disclosure of student, tutor, and course data due to broken access control"}, "threat_synthesis": {"affected_systems": "ClassroomIO version 0.1.13 on all deployments is affected. No other versions were identified in the current advisory.", "description_and_impact": "The vulnerability is a broken access control in ClassroomIO v0.1.13 that allows any authenticated low\u2011privileged student to read other students\u2019 personal information, tutor and admin profiles, as well as internal course metadata. By changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint, an attacker can retrieve sensitive data that should be protected. This indicates an unauthorized disclosure of private information, a classic broken access control problem (CWE\u2011284 and CWE\u2011285).", "risk_and_exploitability": "The CVSS base score of 6.5 indicates a medium severity with significant confidentiality impact. The EPSS score is reported as less than 1\u202f%, implying a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. However, an attacker only needs to be authenticated as a student, intercept the network traffic, and modify the HTTP method \u2013 a straightforward technique that can be performed over an unsecured network or via a browser developer console. Consequently, the risk is moderate but should not be ignored, especially in environments where sensitive student or instructor data is stored."}}}}, "created": "2026-04-27T19:15:11.633553+00:00", "title": "Student Accounts Can Retrieve Unauthorized Course Information by Modifying API Requests", "updated": "2026-04-28T07:15:19.377408+00:00", "vendors": ["classroomio", "classroomio$PRODUCT$classroomio"]}