CVE-2026-24669 HIGH

CVE-2026-24669: Open eClass Insecure Password Reset Token Reuse Enables Account Takeover

Vendor Gunet
Product openeclass
Weakness CWE-613 · Insufficient session expiration
Published February 3, 2026
Last update February 4, 2026

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid password reset token after it has already been used, enabling unauthorized password changes and potential account takeover. This issue has been patched in version 4.2.

Key dates

02Disclosure timeline

February 3, 2026 CVE published
February 4, 2026 Record updated