Description
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2.
Published: 2026-02-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Username Enumeration
Action: Patch
AI Analysis

Impact

The Open eClass platform permits unauthenticated users to discover valid usernames by observing differences in the login response. An attacker who can query the login endpoint can determine which account names exist, which can be used to craft targeted phishing or credential-stuffing attacks. The weakness is classified as a username enumeration flaw (CWE‑204).

Affected Systems

The vulnerability affects all installations of the Open eClass platform version 4.1 and earlier, released under the Gunet project. Accounts created prior to the 4.2 release are susceptible. Administrators of public or private LMS instances should review the installed version to determine exposure.

Risk and Exploitability

This issue has a CVSS score of 5.3, indicating a medium severity impact. The EPSS score is less than 1%, suggesting a very low probability of exploitation. It is not listed in the CISA KEV catalog. Attackers need only access the web login page, so the attack vector is likely remote via HTTP. Because the vulnerability is present only in earlier releases, the risk can be reduced by updating to a patched version.

Generated by OpenCVE AI on April 18, 2026 at 00:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Open eClass installation to version 4.2 or later
  • If an upgrade cannot be performed immediately, enforce login throttling and suppress detailed authentication error messages to mitigate information leakage
  • Continuously monitor authentication logs for abnormal username enumeration attempts

Generated by OpenCVE AI on April 18, 2026 at 00:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Gunet
Gunet open Eclass Platform
CPEs cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*
Vendors & Products Gunet
Gunet open Eclass Platform

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Openeclass
Openeclass openeclass
Vendors & Products Openeclass
Openeclass openeclass

Tue, 03 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2.
Title Open eClass is Vulnerable to Username Enumeration via Login Response Discrepancies
Weaknesses CWE-204
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gunet Open Eclass Platform
Openeclass Openeclass
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:52:52.603Z

Reserved: 2026-01-23T20:40:23.386Z

Link: CVE-2026-24664

cve-icon Vulnrichment

Updated: 2026-02-04T15:55:15.312Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T18:16:19.377

Modified: 2026-02-10T18:49:05.527

Link: CVE-2026-24664

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses