CVE-2026-24773
Published: 03 February 2026
Summary
CVE-2026-24773 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Gunet Open Eclass Platform. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-24773 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the Open eClass platform, a complete course management system formerly known as GUnet eClass. Versions prior to 4.2 are vulnerable, enabling unauthenticated remote attackers to access personal files belonging to other users by directly requesting predictable user identifiers. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no effects on integrity or availability.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By leveraging predictable user identifiers, they can directly access sensitive personal files of other users, potentially exposing private data without needing privileges or authentication.
The issue has been addressed in Open eClass version 4.2. Additional details are available in the GitHub security advisory at https://github.com/gunet/openeclass/security/advisories/GHSA-63pm-pff4-xc9c.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5232
Vulnerability details
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting…
more
predictable user identifiers. This issue has been patched in version 4.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing web app enables remote unauthenticated file access (T1190 initial access via public app exploitation + T1005 collection of data/files from the system).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources like user files, directly preventing IDOR exploitation by unauthenticated attackers using predictable identifiers.
Protects publicly accessible system functions from unauthorized access without identification or authentication, mitigating exposure of personal files via direct requests.
Limits permitted actions without authentication to only essential non-sensitive resources, preventing unauthenticated access to other users' personal files.