CVE-2026-24670 - Vulnerability Details

- Open eClass Has Broken Access Control in Course Units Module Allows Students to Create Units

Description

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create new course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2.

Published: 2026-02-03

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a broken access control that allows authenticated students to create new course units, a function normally restricted to higher‑privileged roles. This enables students to add or modify instructional units, potentially injecting unauthorized content or altering course structure. The flaw aligns with CWE‑284, providing unauthorized elevation of privileges within the platform.

Affected Systems

Affected systems are the Open eClass platform (formerly GUnet eClass) distributed by gunet. All versions earlier than 4.2 are vulnerable. The issue was fixed in release 4.2, which revokes the students' ability to create units.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk, and an EPSS of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated student session; therefore the threat is constrained to users who can obtain or compromise legitimate login credentials. No network‑level attack vector is needed, limiting risk to environments where student accounts or credentials are exposed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

gunet

openeclass

affected

Version	Status	Constraints
`< 4.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Openeclass	Openeclass	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Open eClass platform to version 4.2 or later, where the broken access control has been corrected.
Review the platform’s role‑based access control configuration to ensure that only authorized roles can create course units, removing this privilege from student accounts.
If an immediate upgrade is not possible, temporarily disable the unit‑creation functionality for students by adjusting the application code or configuration to enforce the proper role check before allowing unit creation.

Generated by OpenCVE AI on April 18, 2026 at 00:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/gunet/openeclass/security/advisories/GHSA-4jf5-636r-hv9v

History

Tue, 10 Feb 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gunet Gunet open Eclass Platform
CPEs		cpe:2.3:a:gunet:open_eclass_platform::::::::
Vendors & Products		Gunet Gunet open Eclass Platform

Wed, 04 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openeclass Openeclass openeclass
Vendors & Products		Openeclass Openeclass openeclass

Tue, 03 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create new course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2.
Title		Open eClass Has Broken Access Control in Course Units Module Allows Students to Create Units
Weaknesses		CWE-284
References		https://github.com/gunet/openeclass/security/advisories/GHSA-4jf5-636r-hv9v
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Gunet Open Eclass Platform

Openeclass Openeclass

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-03T16:56:16.652Z

Updated: 2026-02-04T16:52:43.929Z

Reserved: 2026-01-23T20:40:23.387Z

Link: CVE-2026-24670

Vulnrichment

Updated: 2026-02-04T15:46:39.094Z

NVD

Status : Analyzed

Published: 2026-02-03T18:16:22.067

Modified: 2026-02-10T18:22:04.237

Link: CVE-2026-24670

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object