CVE-2026-24773
Unknown Unknown - Not Provided
IDOR Vulnerability in Open eClass Allows Unauthorized File Access

Publication date: 2026-02-03

Last updated on: 2026-02-10

Assigner: GitHub, Inc.

Description
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user identifiers. This issue has been patched in version 4.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24773
EUVD
EUVD-2026-5232
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gunet open_eclass_platform to 4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24773 is an Insecure Direct Object Reference (IDOR) vulnerability in the Open eClass platform versions up to 4.1. It allows unauthenticated remote attackers to access personal files of other users by manipulating predictable, sequential user identifiers in the URL. Specifically, attackers can send HTTP GET requests with different user IDs and file names to retrieve files belonging to other users without any authentication or authorization checks.

The vulnerability exists because the system does not properly verify whether the requester is authorized to access the requested files, leading to unauthorized disclosure of sensitive user data.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive personal files belonging to other users. Since no authentication is required, any remote attacker can exploit this flaw to access private data simply by guessing or enumerating user IDs and requesting files directly.

The impact includes exposure of confidential information, which can result in privacy violations, loss of trust, and potential misuse of the exposed data.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access files of other users through unauthenticated HTTP GET requests that manipulate the user ID in the URL. Since user IDs are sequential and predictable, you can try enumerating user IDs to see if files from other users are accessible.'}, {'type': 'paragraph', 'content': 'A suggested command to test this vulnerability is to send an HTTP GET request to the affected endpoint with different user IDs, for example:'}, {'type': 'list_item', 'content': 'curl -i "http://<target>/modules/document/file.php/user,14/personal_file.txt"'}, {'type': 'paragraph', 'content': "Replace '14' with other user IDs to check if files belonging to other users can be accessed without authentication."}] [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Open eClass platform to version 4.2 or later, where this issue has been patched.

Until the upgrade can be performed, restrict access to the vulnerable endpoint by implementing access controls or network-level restrictions to prevent unauthenticated access to the file access URL.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to access personal files of other users, leading to unauthorized disclosure of potentially sensitive user data.

Such unauthorized exposure of personal data can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24773. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart