Can you explain this vulnerability to me?

The vulnerability CVE-2026-10167 is an authentication bypass issue in the OUSL-GROUP-BrinaryBrains School Student Management System. It affects the sign_auth_cookie function in the Login.php controller. The flaw arises because the system uses a hardcoded encryption key for HMAC-SHA256 signing of the authentication cookie.

An attacker can exploit this by computing a valid signature offline using the known key "Signetbd" and crafting a forged authentication cookie for any user role (such as admin, teacher, student, or parent) and user ID. When the server processes this forged cookie, it validates the signature and grants access to the corresponding user account without requiring a password.

This allows the attacker to bypass authentication remotely and gain unauthorized access to the system.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to a complete system compromise because attackers can impersonate any user, including administrators.

• Unauthorized access to sensitive data.
• Ability to modify or delete critical information.
• Full bypass of authentication mechanisms without needing passwords.
• Remote exploitation without user interaction.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for forged `school_auth` cookies that are signed using the known hardcoded key "Signetbd". Since the attack involves crafting a valid HMAC-SHA256 signature offline, detection involves inspecting authentication cookies for suspicious signatures or unexpected user roles.

Commands to detect this might include capturing HTTP requests and analyzing cookies for the `school_auth` cookie value. For example, using tools like tcpdump or Wireshark to capture traffic, then extracting and verifying the cookie signatures offline.

• Use tcpdump to capture HTTP traffic: tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443'
• Extract `school_auth` cookies from captured traffic and analyze their signatures using a script that attempts to verify the HMAC-SHA256 with the known key "Signetbd".
• Look for cookies granting unexpected roles (admin, teacher, student, parent) without proper authentication.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include invalidating all existing `school_auth` cookies and changing the signing mechanism to use a secure, secret key that is not hardcoded or publicly known.

Since the vulnerability allows attackers to forge authentication cookies, it is critical to update the system to use a secure, randomly generated key for HMAC signing and to implement additional authentication checks.

• Invalidate all current sessions and force users to re-authenticate.
• Replace the hardcoded key "Signetbd" with a secure, secret key stored safely and not exposed in the code.
• Implement additional server-side validation for user roles and authentication tokens.
• Monitor logs for suspicious authentication attempts and forged cookies.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows attackers to bypass authentication and gain unauthorized access to sensitive data by forging valid authentication cookies. Such unauthorized access can lead to exposure, modification, or deletion of personal and sensitive information stored within the system.

As a result, this weakness can negatively impact compliance with common data protection standards and regulations such as GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access.

Specifically, the ability for attackers to impersonate administrators and access sensitive user data without authorization violates principles of data confidentiality and integrity mandated by these regulations.

Useful 0 Not Useful 0