CVE-2026-24664
Unknown Unknown - Not Provided

Username Enumeration in Open eClass Before 4.2 Allows Account Disclosure

Vulnerability report for CVE-2026-24664, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-03

Last updated on: 2026-02-10

Assigner: GitHub, Inc.

Description

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-03
Last Modified
2026-02-10
Generated
2026-07-06
AI Q&A
2026-02-03
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gunet open_eclass_platform to 4.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to enumerate valid usernames by analyzing differences in login response behavior, which leads to a low confidentiality impact.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to identify valid user accounts could potentially increase the risk of targeted attacks or unauthorized access attempts, which may have implications for protecting personal data under such regulations.

However, since the vulnerability does not directly expose sensitive personal data or compromise data integrity or availability, its impact on compliance with these regulations is likely limited but still relevant as part of an overall security posture.

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-24664 is a username enumeration vulnerability in the Open eClass platform versions up to 4.1. It allows unauthenticated attackers to identify valid usernames by analyzing differences in the login response behavior.'}, {'type': 'paragraph', 'content': 'Specifically, when a valid username is submitted to the login endpoint, the server responds with a temporary session cookie (Set-Cookie: PHPSESSID=...), but when an invalid username is submitted, no session cookie is set. This difference enables attackers to distinguish valid usernames from invalid ones.'}, {'type': 'paragraph', 'content': "Attackers can exploit this vulnerability by sending automated requests with lists of potential usernames and observing the server's responses."}] [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to discover valid usernames on your Open eClass platform without authentication.

Knowing valid usernames can facilitate further attacks such as password guessing, phishing, or social engineering, potentially leading to unauthorized access.

However, the vulnerability does not directly impact data integrity or availability, and its confidentiality impact is considered low.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by analyzing the login response behavior of the Open eClass platform. Specifically, when submitting a username to the login endpoint, observe whether the server sets a session cookie (Set-Cookie: PHPSESSID=...). A valid username submission results in a session cookie being set, while an invalid username does not.'}, {'type': 'paragraph', 'content': 'To detect this on your system or network, you can perform automated HTTP requests to the login endpoint with a list of potential usernames and monitor the presence or absence of the Set-Cookie header in the responses.'}, {'type': 'paragraph', 'content': 'Example command using curl to test a username:'}, {'type': 'list_item', 'content': 'curl -i -X POST -d "username=TEST_USERNAME&password=any" https://your-openeclass-domain/login'}, {'type': 'paragraph', 'content': 'Check the response headers for the Set-Cookie field. If the PHPSESSID cookie is present, the username is likely valid; if absent, the username is invalid.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Open eClass platform to version 4.2 or later, where this username enumeration vulnerability has been patched.

Until the upgrade can be performed, consider implementing additional protections such as rate limiting login attempts, monitoring for suspicious login activity, and employing web application firewalls to detect and block automated username enumeration attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24664. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart