Description
A weakness has been identified in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. This impacts the function sign_auth_cookie of the file application/controllers/Login.php of the component MY_Controller. Executing a manipulation of the argument role can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-31
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the sign_auth_cookie function of the Login controller, where an attacker can alter the role argument to bypass authentication. This flaw allows unauthorized users to gain access to protected resources and has been identified as CWE-287, an authentication bypass weakness. During exploitation the attacker crafts a request that changes the role parameter used in the authentication cookie, causing the system to treat the request as fully authenticated. The impact includes unauthorized reading, modification, or deletion of student records and potentially higher privileges if administrative roles are granted.

Affected Systems

The affected product is the School Student Management System developed by OUSL-GROUP-BrinaryBrains. The issue affects all versions up to the commit 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Because the project follows a rolling-releases model, specific version numbers are not published, so any deployment built before the commit is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack can be carried out remotely from the internet, and public proof-of-concept exploits have been released. An attacker can manipulate the role parameter in a request to the sign_auth_cookie method, bypassing authentication checks and gaining unauthorized access.

Generated by OpenCVE AI on May 31, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor release that addresses the sign_auth_cookie role validation flaw, if available.
  • Introduce a local patch that sanitizes the role input in the Login controller, ensuring only authorized role values are accepted or that the role parameter is ignored during authentication checks.
  • Configure a web-application firewall or monitor application logs to detect and block requests that attempt to manipulate the role argument, and enforce a strict rate limit on login attempts.

Generated by OpenCVE AI on May 31, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 05:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. This impacts the function sign_auth_cookie of the file application/controllers/Login.php of the component MY_Controller. Executing a manipulation of the argument role can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Title OUSL-GROUP-BrinaryBrains School Student Management System MY_Controller Login.php sign_auth_cookie improper authentication
First Time appeared Ousl-group-brinarybrains
Ousl-group-brinarybrains school Student Management System
Weaknesses CWE-287
CPEs cpe:2.3:a:ousl-group-brinarybrains:school_student_management_system:*:*:*:*:*:*:*:*
Vendors & Products Ousl-group-brinarybrains
Ousl-group-brinarybrains school Student Management System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ousl-group-brinarybrains School Student Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-31T03:30:09.909Z

Reserved: 2026-05-30T09:31:01.086Z

Link: CVE-2026-10167

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T05:16:23.807

Modified: 2026-05-31T05:16:23.807

Link: CVE-2026-10167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T06:30:06Z

Weaknesses