CVE-2026-24467
Received Received - Intake
Persistent Password Reset Token Flaw in OpenAEV Enables Account Takeover

Publication date: 2026-04-20

Last updated on: 2026-04-25

Assigner: GitHub, Inc.

Description
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable account takeover. The primary issue is that password reset tokens do not expire. Once a token is generated, it remains valid indefinitely, even if significant time has passed or if newer tokens are issued for the same account. This allows an attacker to accumulate valid password reset tokens over time and reuse them at any point in the future to reset a victim’s password. A secondary weakness is that password reset tokens are only 8 digits long. While an 8-digit numeric token provides 100,000,000 possible combinations (which is secure enough), the ability to generate large numbers of valid tokens drastically reduces the required number of attempts to guess a valid password reset token. For example, if an attacker generates 2,000 valid tokens, the brute-force effort is reduced to approximately 50,000 attempts, which is a trivially achievable number of requests for an automated attack. (100 requests per second can mathematically find a valid password reset token in 500 seconds.) By combining these flaws, an attacker can mass-generate valid password reset tokens and then brute-force them efficiently until a match is found, allowing the attacker to reset the victim’s password to a value of their choosing. The original password is not required, and the attack can be performed entirely without authentication. This vulnerability enables full account takeover that leads to platform compromise. An unauthenticated remote attacker can reset the password of any registered user account and gain complete access without authentication. Because user email addresses are exposed to other users by design, a single guessed or observed email address is sufficient to compromise even administrator accounts with non-guessable email addresses. This design flaw results in a reliable and scalable account takeover vulnerability that affects any registered user account in the system. Note: The vulnerability does not require OpenAEV to have the email service configured. The exploit does not depend on the target email address to be a real email address. It just needs to be registered to OpenAEV. Successful exploitation allows an unauthenticated remote attacker to access sensitive data (such as the Findings section of a simulation), modify payloads executed by deployed agents to compromise all hosts where agents are installed (therefore the Scope is changed). Users should upgrade to version 2.0.13 to receive a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-25
Generated
2026-05-07
AI Q&A
2026-04-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-24467
EUVD
EUVD-2026-23882
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filigran openaev From 1.0.0 (inc) to 2.0.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-24467 is a critical vulnerability in the OpenAEV platform's password reset mechanism that allows unauthenticated attackers to take over any registered user account.

The main issue is that password reset tokens do not expire and remain valid indefinitely, even after newer tokens are issued. This lets an attacker accumulate many valid tokens over time and reuse them to reset passwords at any time.

Additionally, the tokens are only 8-digit numeric codes, which theoretically provide 100 million combinations. However, because attackers can generate thousands of valid tokens, the brute-force search space is drastically reduced, making it feasible to guess a valid token quickly.

By mass-generating tokens and brute-forcing them, an attacker can reset a victim's password without knowing the original password or requiring any authentication, using only a registered email address.

This vulnerability enables full account takeover, allowing attackers to access sensitive data and modify payloads executed by deployed agents, potentially compromising all hosts running those agents.


How can this vulnerability impact me? :

This vulnerability can lead to complete account takeover by an unauthenticated remote attacker.

Once an attacker resets a user's password, they gain full access to that user's account, including administrator accounts if their email addresses are known or guessed.

With control over user accounts, attackers can access sensitive data such as simulation findings and modify payloads executed by deployed agents, which can compromise all hosts where those agents are installed.

The attack does not require the original password or a real email address, only that the email is registered in OpenAEV, making it scalable and reliable.

Overall, the vulnerability severely impacts confidentiality, integrity, and availability of the platform and its data.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to brute-force or validate password reset tokens against the OpenAEV password reset API endpoints. Specifically, an attacker can send requests to the password reset validation endpoint to check if tokens are valid indefinitely.

A proof-of-concept (PoC) uses the ffuf tool to brute-force tokens against the password reset API endpoint on localhost:8080, waiting for HTTP 200 responses indicating valid tokens.

Suggested command example to detect the vulnerability by brute-forcing tokens (replace with actual target URL and token range):

  • ffuf -u http://localhost:8080/api/reset/FUZZ -w tokens.txt -mc 200

Where 'tokens.txt' contains a list of possible 8-digit numeric tokens. A 200 HTTP response indicates a valid token due to the lack of token expiration.


What immediate steps should I take to mitigate this vulnerability?

The primary immediate mitigation step is to upgrade the OpenAEV platform to version 2.0.13 or later, where this vulnerability has been fixed.

Until the upgrade is applied, consider restricting access to the password reset API endpoints to trusted networks or users to reduce the risk of brute-force attacks.

Additionally, monitor for unusual password reset activity and consider implementing additional rate limiting or CAPTCHA protections on the password reset functionality.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in OpenAEV allows unauthenticated attackers to take over any registered user account, leading to full platform compromise and unauthorized access to sensitive data such as simulation findings.

This unauthorized access and potential data modification severely impact the confidentiality, integrity, and availability of user data, which are core principles in compliance frameworks like GDPR and HIPAA.

Because the vulnerability enables scalable and reliable account takeover without authentication, it increases the risk of data breaches and unauthorized data exposure, which could lead to non-compliance with data protection regulations requiring strict access controls and protection of personal and sensitive information.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart