Description
An issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profile
Published: 2026-03-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The flaw lies in ClassroomIO’s /api/verify and /rest/v1/profile endpoints, which lack proper authorization checks. A remote attacker can craft HTTP requests to these endpoints and obtain administrative privileges, effectively gaining full control of the application. The weakness aligns with CWE‑290 (Missing Authorization) and CWE‑639 (Privilege Escalation).

Affected Systems

ClassroomIO applications running any version prior to 0.2.6 are affected. The issue is present in all builds of ClassroomIO before the 0.2.6 release, regardless of deployment environment.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating high severity. Despite a low EPSS of less than 1 % and no current listing in CISA’s KEV catalog, the potential for remote privilege escalation remains significant. An attacker would need network access to the application’s API layer, which is typically exposed to legitimate users, making exploitation plausible in environments lacking additional network segmentation.

Generated by OpenCVE AI on April 7, 2026 at 09:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ClassroomIO to version 0.2.6 or later.
  • Verify that /api/verify and /rest/v1/profile endpoints require authentication.
  • Monitor application logs for suspicious API activity.
  • Restrict network access to the API endpoints using firewall or access controls.

Generated by OpenCVE AI on April 7, 2026 at 09:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Remote Privilege Escalation via Unprotected APIS in ClassroomIO

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:classroomio:classroomio:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Title Remote Privilege Escalation via Unprotected APIS in ClassroomIO

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Classroomio
Classroomio classroomio
Vendors & Products Classroomio
Classroomio classroomio

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
CWE-345
CWE-639
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profile
References

Subscriptions

Classroomio Classroomio
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-11T15:34:24.330Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-67298

cve-icon Vulnrichment

Updated: 2026-03-11T15:28:37.639Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T15:16:21.207

Modified: 2026-04-07T01:19:45.960

Link: CVE-2025-67298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:02:39Z

Weaknesses