Description
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid password reset token after it has already been used, enabling unauthorized password changes and potential account takeover. This issue has been patched in version 4.2.
Published: 2026-02-03
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover
Action: Patch
AI Analysis

Impact

The Open eClass platform issues a password‑reset token that is intended to be single‑use. In versions older than 4.2 the token is not invalidated after the first successful password change, allowing a local attacker who has access to a valid token to use it again to set a new password for any account. This flaw directly undermines account integrity and is classified as CWE‑613, a failure to correctly invalidate a credential after use.

Affected Systems

The vulnerability is present in the Open eClass platform supplied by gunet. All releases prior to version 4.2 are affected; the issue was remedied in the 4.2 release.

Risk and Exploitability

The CVSS score of 7.8 marks the flaw as high severity, while the EPSS score of less than 1% indicates a very low current exploitation probability and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, a local attacker who can acquire a reset token can reuse it to take over an account, so the potential impact is significant if the attacker gains local or token access. The flaw can be exploited through a local attack vector that leverages the token reuse capability.

Generated by OpenCVE AI on April 18, 2026 at 14:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open eClass to version 4.2 or later to ensure that reset tokens are invalidated after a single use.
  • In the interim, modify the reset workflow to immediately revoke any token after it is used and store tokens only transiently in memory, not in persistent storage.
  • Add a server‑side check that rejects any password‑reset request whose token has already been consumed, ensuring that each token can only be used once.

Generated by OpenCVE AI on April 18, 2026 at 14:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Gunet
Gunet open Eclass Platform
CPEs cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*
Vendors & Products Gunet
Gunet open Eclass Platform

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Openeclass
Openeclass openeclass
Vendors & Products Openeclass
Openeclass openeclass

Tue, 03 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid password reset token after it has already been used, enabling unauthorized password changes and potential account takeover. This issue has been patched in version 4.2.
Title Open eClass Insecure Password Reset Token Reuse Enables Account Takeover
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gunet Open Eclass Platform
Openeclass Openeclass
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:51:37.677Z

Reserved: 2026-01-23T20:40:23.387Z

Link: CVE-2026-24669

cve-icon Vulnrichment

Updated: 2026-02-04T15:54:20.911Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T18:16:21.820

Modified: 2026-02-10T18:31:05.160

Link: CVE-2026-24669

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses