Description
An issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profile
Published: 2026-03-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Now
AI Analysis

Impact

An issue in ClassroomIO before version 0.2.6 allows a remote attacker to elevate privileges by exploiting the exposed API endpoints /api/verify and /rest/v1/profile. The vulnerability is caused by weaknesses in authorization handling (CWE 290 for improper authorization, CWE 345 for insecure random number usage, and CWE 639 for missing access control checks). The impact is that an attacker can obtain higher‑level permissions than intended, potentially gaining full control over the application or sensitive data.

Affected Systems

All releases of ClassroomIO older than 0.2.6 are affected. The fix was introduced in the 0.2.6 release, and no other vendor or product details are provided.

Risk and Exploitability

The CVSS score of 8.1 classifies this vulnerability as High severity. The EPSS score is below 1%, indicating a low likelihood of exploitation in the wild at present, and it is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be remote over HTTP without requiring local access; an unauthenticated attacker can trigger the privilege escalation by sending requests to the vulnerable endpoints.

Generated by OpenCVE AI on March 17, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ClassroomIO to version 0.2.6 or later to apply the vendor‑published fix.
  • If an upgrade cannot be performed immediately, temporarily block or restrict unauthenticated access to the /api/verify and /rest/v1/profile endpoints using firewall or reverse‑proxy rules.
  • Verify that all API calls require proper authentication and authorization before applying any future updates.

Generated by OpenCVE AI on March 17, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Title Remote Privilege Escalation via Unprotected APIS in ClassroomIO

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Classroomio
Classroomio classroomio
Vendors & Products Classroomio
Classroomio classroomio

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
CWE-345
CWE-639
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profile
References

Subscriptions

Classroomio Classroomio
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-11T15:34:24.330Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-67298

cve-icon Vulnrichment

Updated: 2026-03-11T15:28:37.639Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T15:16:21.207

Modified: 2026-03-12T21:08:22.643

Link: CVE-2025-67298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:33:47Z

Weaknesses