CVE-2025-67259 - Vulnerability Details

- Student Accounts Can Retrieve Unauthorized Course Information by Modifying API Requests

Description

A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata.

Published: 2026-04-24

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a broken access control in ClassroomIO v0.1.13 that allows any authenticated low‑privileged student to read other students’ personal information, tutor and admin profiles, as well as internal course metadata. By changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint, an attacker can retrieve sensitive data that should be protected. This indicates an unauthorized disclosure of private information, a classic broken access control problem (CWE‑284 and CWE‑285).

Affected Systems

ClassroomIO version 0.1.13 on all deployments is affected. No other versions were identified in the current advisory.

Risk and Exploitability

The CVSS base score of 6.5 indicates a medium severity with significant confidentiality impact. The EPSS score is reported as less than 1 %, implying a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. However, an attacker only needs to be authenticated as a student, intercept the network traffic, and modify the HTTP method – a straightforward technique that can be performed over an unsecured network or via a browser developer console. Consequently, the risk is moderate but should not be ignored, especially in environments where sensitive student or instructor data is stored.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Classroomio

80%

Version	Status	Scheme	Platform
`0.1.13`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ClassroomIO to a patched version that restricts GET access on the /rest/v1/course endpoint to authorized roles – for example, upgrade to v0.1.14 or later if available.
Reconfigure the PostgREST service or the application’s routing logic so that only POST requests are accepted on /rest/v1/course for student users, or add explicit authorization checks to ensure that only users with the correct permissions can retrieve course data.
Implement network monitoring and enforcement of TLS to detect and block abnormal GET requests to /rest/v1/course and to prevent interception of requests by attackers.

Generated by OpenCVE AI on April 28, 2026 at 07:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://drive.google.com/file/d/1G_IjEURNBcaSmBo4FdOo_27q-4H9MV34/view?usp=drive_link
https://github.com/classroomio/classroomio/issues/642

History

Tue, 28 Apr 2026 07:30:00 +0000

Type	Values Removed	Values Added
Title		Student Accounts Can Retrieve Unauthorized Course Information by Modifying API Requests

Mon, 27 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Classroomio Classroomio classroomio
Vendors & Products		Classroomio Classroomio classroomio

Fri, 24 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284 CWE-285
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata.
References		https://drive.google.com/file/d/1G_IjEURNBcaSmBo4FdOo_27q-4H9MV34/view?usp=drive_link https://github.com/classroomio/classroomio/issues/642

Subscriptions

Classroomio Classroomio

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-24T00:00:00.000Z

Updated: 2026-04-24T17:58:28.632Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-67259

Vulnrichment

Updated: 2026-04-24T17:57:12.741Z

NVD

Status : Deferred

Published: 2026-04-24T16:16:23.907

Modified: 2026-04-24T18:16:23.980

Link: CVE-2025-67259

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object