Description
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the system. When a non-existent email is provided in the login parameter, the endpoint returns an HTTP 400 response (Bad Request). When a valid email is supplied, the endpoint responds with HTTP 200. This difference in server responses creates an observable discrepancy that allows an attacker to reliably determine which emails are registered in the application. By automating requests with a list of possible email addresses, an attacker can quickly build a list of valid accounts without any authentication. The endpoint should return a consistent response regardless of whether the username exists in order to prevent account enumeration. Version 2.0.13 fixes this issue.
Published: 2026-04-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Account Enumeration
Action: Patch
AI Analysis

Impact

The vulnerability exists in OpenAEV’s password‑reset API. When a client supplies an email address that exists in the system, the API responds with HTTP 200; when the email does not exist, it returns HTTP 400. This differential response exposes whether an account exists, which is an information‑exposure flaw classified as CWE‑204. The misuse of this flaw permits attackers to enumerate valid user accounts, potentially enabling privacy violations or targeted credential attacks, though such downstream uses are not explicitly described in the advisory.

Affected Systems

OpenAEV‑Platform’s open source product openaev is affected across all releases beginning with version 1.11.0 and continuing up to, but not including, version 2.0.13. The patch that resolves the issue is incorporated in release 2.0.13 and later builds.

Risk and Exploitability

The advisory cites a CVSS score of 5.3, indicating moderate severity. EPSS data is not available, so the exact likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits. Base on the description, it is inferred that an attacker can trigger the differential responses from any network location that can reach the /api/reset endpoint without authentication, making automated enumeration straightforward. The risk is amplified if the platform is exposed to the public internet or handles sensitive user data.

Generated by OpenCVE AI on April 20, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenAEV to version 2.0.13 or later, where the password‑reset endpoint no longer leaks account existence.
  • If an immediate upgrade is not possible, modify the /api/reset implementation to return a constant status code (for example, HTTP 200 with a generic message) regardless of whether the email is registered, thereby eliminating the discrepancy.
  • Enforce input validation and apply rate limiting or request throttling on the /api/reset endpoint to reduce the speed of automated enumeration attempts, mitigating the information‑exposure weakness (CWE‑204).

Generated by OpenCVE AI on April 20, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the system. When a non-existent email is provided in the login parameter, the endpoint returns an HTTP 400 response (Bad Request). When a valid email is supplied, the endpoint responds with HTTP 200. This difference in server responses creates an observable discrepancy that allows an attacker to reliably determine which emails are registered in the application. By automating requests with a list of possible email addresses, an attacker can quickly build a list of valid accounts without any authentication. The endpoint should return a consistent response regardless of whether the username exists in order to prevent account enumeration. Version 2.0.13 fixes this issue.
Title OpenAEV Vulnerable to Username/Email Enumeration Through Differential HTTP Responses in Password Reset API
Weaknesses CWE-204
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T16:24:44.061Z

Reserved: 2026-01-23T00:38:20.546Z

Link: CVE-2026-24468

cve-icon Vulnrichment

Updated: 2026-04-20T16:24:39.346Z

cve-icon NVD

Status : Deferred

Published: 2026-04-20T16:16:41.617

Modified: 2026-04-20T18:59:16.353

Link: CVE-2026-24468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses