CVE-2026-24668 - Vulnerability Details

- Open eClass Broken Access Control Allows Students to Add Content to Course Units

Description

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add content to existing course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2.

Published: 2026-02-03

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Prior to version 4.2 of the Open eClass platform, a broken access control flaw let authenticated students add new content to course units that should have been restricted to instructors or administrators. This unauthorized privilege enables students to upload or publish slides, documents, or other learning materials, undermining the integrity of the course content. The flaw is classified as CWE-284, indicating incorrect or missing access control enforcement.

Affected Systems

The vulnerability is present in Open eClass platforms developed by gunet:openeclass. Versions earlier than 4.2 are impacted. Administrators should verify the platform version in use, and any custom deployments that inherit the same access control logic, as they may also expose the same issue.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Nevertheless, authenticated users can insert arbitrary content, potentially spreading misinformation or inappropriate material. The attack vector is through the web interface used by logged‑in students; no additional privileges or code execution are required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

gunet

openeclass

affected

Version	Status	Constraints
`< 4.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Openeclass	Openeclass	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Open eClass installation to version 4.2 or higher, which removes the access control flaw.
Configure role‑based permissions to limit content creation and editing to instructors or administrators only.
Review existing course content for unauthorized additions and revert any that compromise course integrity.
If an immediate upgrade is not feasible, temporarily disable the content addition feature for student roles through the platform configuration.

Generated by OpenCVE AI on April 18, 2026 at 00:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/gunet/openeclass/security/advisories/GHSA-22cq-9fr7-fq6v

History

Tue, 10 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gunet Gunet open Eclass Platform
CPEs		cpe:2.3:a:gunet:open_eclass_platform::::::::
Vendors & Products		Gunet Gunet open Eclass Platform

Wed, 04 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openeclass Openeclass openeclass
Vendors & Products		Openeclass Openeclass openeclass

Tue, 03 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add content to existing course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2.
Title		Open eClass Broken Access Control Allows Students to Add Content to Course Units
Weaknesses		CWE-284
References		https://github.com/gunet/openeclass/security/advisories/GHSA-22cq-9fr7-fq6v
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Gunet Open Eclass Platform

Openeclass Openeclass

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-03T16:59:48.362Z

Updated: 2026-02-04T16:51:43.187Z

Reserved: 2026-01-23T20:40:23.387Z

Link: CVE-2026-24668

Vulnrichment

Updated: 2026-02-04T15:46:28.160Z

NVD

Status : Analyzed

Published: 2026-02-03T18:16:21.610

Modified: 2026-02-10T18:32:55.670

Link: CVE-2026-24668

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object