CVE-2026-24666
Unknown Unknown - Not Provided
CSRF Vulnerability in Open eClass Teachers Allows Grade Manipulation

Publication date: 2026-02-03

Last updated on: 2026-02-10

Assigner: GitHub, Inc.

Description
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Cross-Site Request Forgery (CSRF) vulnerability in multiple teacher-restricted endpoints allows attackers to induce authenticated teachers to perform unintended actions, such as modifying assignment grades, via crafted requests. This issue has been patched in version 4.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24666
EUVD
EUVD-2026-5229
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gunet open_eclass_platform to 4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

[{'type': 'paragraph', 'content': "The vulnerability allows attackers to induce authenticated teachers to perform unauthorized actions such as modifying assignment grades without consent. This represents a high integrity impact on the system's data."}, {'type': 'paragraph', 'content': 'While the vulnerability does not directly impact confidentiality or availability, the unauthorized modification of educational records could lead to non-compliance with standards and regulations that require data integrity and accountability, such as GDPR or HIPAA.'}, {'type': 'paragraph', 'content': 'Specifically, GDPR mandates ensuring the accuracy and integrity of personal data, and unauthorized grade changes could violate these principles. Similarly, HIPAA requires safeguarding the integrity of protected health information, and although this system is educational, any regulated data handled similarly would be at risk.'}, {'type': 'paragraph', 'content': 'Therefore, this CSRF vulnerability could undermine compliance by allowing unauthorized data manipulation, potentially leading to regulatory violations if exploited.'}] [1]

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-24666 is a Cross-Site Request Forgery (CSRF) vulnerability in the Open eClass platform affecting multiple teacher-restricted endpoints in versions prior to 4.2.'}, {'type': 'paragraph', 'content': 'This vulnerability occurs because the application does not properly validate the origin or intent of incoming requests and lacks effective CSRF protection mechanisms.'}, {'type': 'paragraph', 'content': "An attacker can craft malicious requests that, when executed by an authenticated teacher’s browser, cause unauthorized actions such as modifying assignment grades or altering other course-related data without the teacher's consent."}, {'type': 'paragraph', 'content': 'For example, an attacker can create a malicious HTML page that submits a form to the vulnerable grading endpoint using the teacher’s session cookies, changing grades or other data unintentionally.'}] [1]

Impact Analysis

This vulnerability can allow attackers to induce authenticated teachers to perform unintended actions such as modifying assignment grades or altering course-related data.

The integrity of the grading system and course data can be compromised, potentially leading to unauthorized grade changes.

Since the attack requires the teacher to interact with a malicious page, it exploits user interaction but does not require elevated privileges.

The overall impact is a high integrity impact, meaning data can be altered without authorization, which can undermine trust in the system.

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this CSRF vulnerability involves monitoring for unauthorized or unexpected POST requests to teacher-restricted endpoints, such as /modules/work/index.php, especially those that modify assignment grades or course data.'}, {'type': 'paragraph', 'content': 'Since the vulnerability exploits the lack of CSRF protection, you can look for suspicious HTTP POST requests that do not include proper CSRF tokens or originate from unexpected sources.'}, {'type': 'paragraph', 'content': 'Network monitoring tools or web application firewalls (WAFs) can be configured to log or block such suspicious requests.'}, {'type': 'paragraph', 'content': 'For manual inspection, you can use commands like:'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /modules/work/index.php'"}, {'type': 'list_item', 'content': "Using grep on web server logs to find POST requests to the grading endpoint: grep 'POST /modules/work/index.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Checking for missing or invalid CSRF tokens in requests if logs or application debugging is enabled.'}] [1]

Mitigation Strategies

The primary mitigation step is to upgrade the Open eClass platform to version 4.2 or later, where this CSRF vulnerability has been patched.

Until the upgrade can be performed, consider implementing additional CSRF protections such as enforcing CSRF tokens on all teacher-restricted endpoints.

Restrict access to the vulnerable endpoints by network controls or web application firewall rules to block suspicious or unauthorized POST requests.

Educate teachers and users to avoid visiting untrusted or suspicious web pages while logged into the Open eClass platform to reduce the risk of CSRF attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24666. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart