{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24668", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T20:40:23.387Z", "datePublished": "2026-02-03T16:59:48.362Z", "dateUpdated": "2026-02-04T16:51:43.187Z"}, "containers": {"cna": {"title": "Open eClass Broken Access Control Allows Students to Add Content to Course Units", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/gunet/openeclass/security/advisories/GHSA-22cq-9fr7-fq6v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gunet/openeclass/security/advisories/GHSA-22cq-9fr7-fq6v"}], "affected": [{"vendor": "gunet", "product": "openeclass", "versions": [{"version": "< 4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T16:59:48.362Z"}, "descriptions": [{"lang": "en", "value": "The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add content to existing course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2."}], "source": {"advisory": "GHSA-22cq-9fr7-fq6v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T15:46:27.425954Z", "id": "CVE-2026-24668", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:51:43.187Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24668", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T15:46:27.425954Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T15:46:28.160Z"}}], "cna": {"title": "Open eClass Broken Access Control Allows Students to Add Content to Course Units", "source": {"advisory": "GHSA-22cq-9fr7-fq6v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "gunet", "product": "openeclass", "versions": [{"status": "affected", "version": "< 4.2"}]}], "references": [{"url": "https://github.com/gunet/openeclass/security/advisories/GHSA-22cq-9fr7-fq6v", "name": "https://github.com/gunet/openeclass/security/advisories/GHSA-22cq-9fr7-fq6v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add content to existing course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T16:59:48.362Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24668", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:51:43.187Z", "dateReserved": "2026-01-23T20:40:23.387Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T16:59:48.362Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "62F1C084-2C90-4AB3-A13E-28323DC385C0", "versionEndExcluding": "4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add content to existing course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2."}], "id": "CVE-2026-24668", "lastModified": "2026-02-10T18:32:55.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T18:16:21.610", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gunet/openeclass/security/advisories/GHSA-22cq-9fr7-fq6v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:16:12.093985+00:00", "value": {"mitigation_remediation": ["Upgrade the Open eClass installation to version 4.2 or higher, which removes the access control flaw.", "Configure role\u2011based permissions to limit content creation and editing to instructors or administrators only.", "Review existing course content for unauthorized additions and revert any that compromise course integrity.", "If an immediate upgrade is not feasible, temporarily disable the content addition feature for student roles through the platform configuration."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized content addition to course units"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in Open eClass platforms developed by gunet:openeclass. Versions earlier than 4.2 are impacted. Administrators should verify the platform version in use, and any custom deployments that inherit the same access control logic, as they may also expose the same issue.", "description_and_impact": "Prior to version 4.2 of the Open eClass platform, a broken access control flaw let authenticated students add new content to course units that should have been restricted to instructors or administrators. This unauthorized privilege enables students to upload or publish slides, documents, or other learning materials, undermining the integrity of the course content. The flaw is classified as CWE-284, indicating incorrect or missing access control enforcement.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Nevertheless, authenticated users can insert arbitrary content, potentially spreading misinformation or inappropriate material. The attack vector is through the web interface used by logged\u2011in students; no additional privileges or code execution are required."}}}}, "created": "2026-02-04T12:09:41.064580+00:00", "updated": "2026-04-18T00:30:25.699868+00:00", "vendors": ["openeclass", "openeclass$PRODUCT$openeclass"]}