Description
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user identifiers. This issue has been patched in version 4.2.
Published: 2026-02-03
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized read of user files via unauthenticated IDOR
Action: Patch
AI Analysis

Impact

The Open eClass platform versions prior to 4.2 contain an insecure direct object reference that allows any unauthenticated remote user to download personal files of other users by predicting user identifiers. This flaw leads to a confidentiality breach and is categorized as CWE-639.

Affected Systems

Open eClass, a course management system from gunet, is affected in all releases before version 4.2. Any installation using such a version without a patch remains vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score is below 1 %, reflecting a low likelihood of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only a predictable user identifier and a basic HTTP request, making the attack path simple for remote actors. The primary risk is the unauthorized disclosure of private user data.

Generated by OpenCVE AI on April 18, 2026 at 00:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open eClass to v4.2 or later to eliminate the IDOR flaw.
  • Review all code paths that expose user identifiers to ensure proper authorization checks are enforced before file access.
  • Implement logging and alerting for anomalous requests to user file endpoints to detect potential abuse before remediation.

Generated by OpenCVE AI on April 18, 2026 at 00:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Gunet
Gunet open Eclass Platform
CPEs cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*
Vendors & Products Gunet
Gunet open Eclass Platform

Wed, 04 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Openeclass
Openeclass openeclass
Vendors & Products Openeclass
Openeclass openeclass

Tue, 03 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user identifiers. This issue has been patched in version 4.2.
Title Open eClass Unauthenticated IDOR Allows Access to Arbitrary User Files
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Gunet Open Eclass Platform
Openeclass Openeclass
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:52:13.108Z

Reserved: 2026-01-26T21:06:47.868Z

Link: CVE-2026-24773

cve-icon Vulnrichment

Updated: 2026-02-04T15:55:13.900Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T18:16:24.373

Modified: 2026-02-10T17:25:21.613

Link: CVE-2026-24773

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses