CVE-2026-24669
Unknown Unknown - Not Provided
Insecure Password Reset Token Reuse in Open eClass

Publication date: 2026-02-03

Last updated on: 2026-02-10

Assigner: GitHub, Inc.

Description
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid password reset token after it has already been used, enabling unauthorized password changes and potential account takeover. This issue has been patched in version 4.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24669
EUVD
EUVD-2026-5226
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gunet open_eclass_platform to 4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-24669 is a high-severity vulnerability in the Open eClass platform versions up to 4.1 related to its password reset mechanism.'}, {'type': 'paragraph', 'content': 'The system issues a temporary password reset URL containing a token valid for one hour. However, after a user completes the password reset, the token is not invalidated or revoked, allowing it to be reused.'}, {'type': 'paragraph', 'content': "An attacker with local access can extract a valid password reset URL (for example, from the user's browser history) within the token’s validity period and reuse it to reset the user’s password again, enabling unauthorized password changes and potential account takeover."}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-613: Insufficient Session Expiration, meaning the system permits reuse of old session credentials or tokens for authorization.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized password changes and account takeover by an attacker who has local access to the affected system.'}, {'type': 'paragraph', 'content': "Because the password reset token can be reused within its validity period, an attacker can reset the password multiple times without the legitimate user's knowledge."}, {'type': 'paragraph', 'content': 'The impact includes high confidentiality, integrity, and availability risks, as an attacker can gain control over user accounts, potentially accessing sensitive information, modifying data, or disrupting services.'}] [1]

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for reuse of password reset tokens within the system. Specifically, monitoring for multiple uses of the same password reset URL or token within its validity period can indicate exploitation.'}, {'type': 'paragraph', 'content': "Since the attack involves extracting a valid password reset URL from a user's browser history and reusing it, detection can focus on identifying repeated password reset requests or resets from the same token."}, {'type': 'paragraph', 'content': 'Commands or methods to detect this might include:'}, {'type': 'list_item', 'content': 'Reviewing web server logs for multiple password reset submissions using the same token or URL.'}, {'type': 'list_item', 'content': "Using grep or similar tools to search logs for password reset token parameters, for example: `grep 'reset_token=' /var/log/apache2/access.log`."}, {'type': 'list_item', 'content': 'Monitoring browser histories or local systems for presence of password reset URLs that could be reused.'}, {'type': 'list_item', 'content': "Implementing scripts to detect multiple password reset actions from the same token within the token's one-hour validity window."}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Open eClass platform to version 4.2 or later, where this vulnerability has been patched.

Until the upgrade can be performed, consider the following temporary measures:

  • Invalidate password reset tokens immediately after use to prevent reuse.
  • Limit the validity period of password reset tokens to as short as possible.
  • Educate users to clear their browser history or avoid saving password reset URLs.
  • Monitor for suspicious password reset activity as described in detection methods.
Compliance Impact

The vulnerability in Open eClass allows unauthorized password resets and potential account takeover due to reuse of password reset tokens. This can lead to unauthorized access to user accounts and sensitive personal data.

Such unauthorized access and potential data breaches could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over user authentication and protection of personal data.

Specifically, the failure to invalidate password reset tokens may violate principles of data security and user privacy mandated by these standards, increasing the risk of non-compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24669. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart