CVE-2026-24669
Insecure Password Reset Token Reuse in Open eClass
Publication date: 2026-02-03
Last updated on: 2026-02-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gunet | open_eclass_platform | to 4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-24669 is a high-severity vulnerability in the Open eClass platform versions up to 4.1 related to its password reset mechanism.'}, {'type': 'paragraph', 'content': 'The system issues a temporary password reset URL containing a token valid for one hour. However, after a user completes the password reset, the token is not invalidated or revoked, allowing it to be reused.'}, {'type': 'paragraph', 'content': "An attacker with local access can extract a valid password reset URL (for example, from the user's browser history) within the tokenβs validity period and reuse it to reset the userβs password again, enabling unauthorized password changes and potential account takeover."}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-613: Insufficient Session Expiration, meaning the system permits reuse of old session credentials or tokens for authorization.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized password changes and account takeover by an attacker who has local access to the affected system.'}, {'type': 'paragraph', 'content': "Because the password reset token can be reused within its validity period, an attacker can reset the password multiple times without the legitimate user's knowledge."}, {'type': 'paragraph', 'content': 'The impact includes high confidentiality, integrity, and availability risks, as an attacker can gain control over user accounts, potentially accessing sensitive information, modifying data, or disrupting services.'}] [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for reuse of password reset tokens within the system. Specifically, monitoring for multiple uses of the same password reset URL or token within its validity period can indicate exploitation.'}, {'type': 'paragraph', 'content': "Since the attack involves extracting a valid password reset URL from a user's browser history and reusing it, detection can focus on identifying repeated password reset requests or resets from the same token."}, {'type': 'paragraph', 'content': 'Commands or methods to detect this might include:'}, {'type': 'list_item', 'content': 'Reviewing web server logs for multiple password reset submissions using the same token or URL.'}, {'type': 'list_item', 'content': "Using grep or similar tools to search logs for password reset token parameters, for example: `grep 'reset_token=' /var/log/apache2/access.log`."}, {'type': 'list_item', 'content': 'Monitoring browser histories or local systems for presence of password reset URLs that could be reused.'}, {'type': 'list_item', 'content': "Implementing scripts to detect multiple password reset actions from the same token within the token's one-hour validity window."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Open eClass allows unauthorized password resets and potential account takeover due to reuse of password reset tokens. This can lead to unauthorized access to user accounts and sensitive personal data.
Such unauthorized access and potential data breaches could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over user authentication and protection of personal data.
Specifically, the failure to invalidate password reset tokens may violate principles of data security and user privacy mandated by these standards, increasing the risk of non-compliance.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Open eClass platform to version 4.2 or later, where this vulnerability has been patched.
Until the upgrade can be performed, consider the following temporary measures:
- Invalidate password reset tokens immediately after use to prevent reuse.
- Limit the validity period of password reset tokens to as short as possible.
- Educate users to clear their browser history or avoid saving password reset URLs.
- Monitor for suspicious password reset activity as described in detection methods.