Description
A client-side authorization flaw in Lightspeed Classroom v5.1.2.1763770643 allows unauthenticated attackers to impersonate users by bypassing integrity checks and abusing client-generated authorization tokens, leading to unauthorized control and monitoring of student devices.
Published: 2026-04-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized impersonation and remote control of student devices
Action: Immediate Action
AI Analysis

Impact

An unauthenticated client‑side authorization flaw in Lightspeed Classroom v5.1.2.1763770643 allows attackers to bypass integrity checks and forge client‑generated authorization tokens, giving them the ability to impersonate legitimate users and gain control and monitoring capabilities of student devices. The weakness is classified as CWE‑863 (Authorization Bypass through User-Controlled Key). The impact includes unauthorized remote device control, potential data exfiltration, and disruption of classroom management.*

Affected Systems

The vulnerability affects Lightspeed Classroom version 5.1.2.1763770643. No other versions or products are listed at this time.*

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is client‑side; the flaw can be exercised by any entity able to interact with the Classroom client, whether by only providing forged tokens or by directly accessing the client’s network endpoints. Detailed exploitation steps are not supplied in the advisory, but the description implies that an attacker can impersonate a user without needing prior authentication.*

Generated by OpenCVE AI on April 28, 2026 at 14:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Limit network access to the Lightspeed Classroom client, blocking unauthorized IPs and ports that could be used to transmit forged tokens.
  • Disable or strictly monitor remote control and monitoring features in the Classroom client until a vendor patch or upgrade is available.
  • Plan to upgrade to a patched version of Lightspeed Classroom as soon as the vendor releases a fix.

Generated by OpenCVE AI on April 28, 2026 at 14:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Authorization Flaw Enables Remote Control in Lightspeed Classroom

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Lightspeed
Lightspeed lightspeed Classroom
Vendors & Products Lightspeed
Lightspeed lightspeed Classroom

Mon, 27 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-863
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Fri, 24 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description A client-side authorization flaw in Lightspeed Classroom v5.1.2.1763770643 allows unauthenticated attackers to impersonate users by bypassing integrity checks and abusing client-generated authorization tokens, leading to unauthorized control and monitoring of student devices.
References

Subscriptions

Lightspeed Lightspeed Classroom
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-27T10:18:21.695Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30368

cve-icon Vulnrichment

Updated: 2026-04-24T18:28:53.726Z

cve-icon NVD

Status : Deferred

Published: 2026-04-24T16:16:34.993

Modified: 2026-04-27T11:16:01.770

Link: CVE-2026-30368

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:45:16Z

Weaknesses