CVE-2026-24664 in Open eClass
Summary
by MITRE • 02/03/2026
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/03/2026
The Open eClass platform represents a comprehensive course management system that serves educational institutions worldwide, facilitating online learning environments and academic content delivery. This platform, formerly known as GUnet eClass, has been widely adopted for its robust features including course creation, user management, and content organization capabilities. The system's architecture includes standard authentication mechanisms designed to verify user credentials and maintain secure access to educational resources. However, a critical vulnerability was discovered in versions prior to 4.2 that fundamentally compromised the platform's security posture through a username enumeration flaw.
The technical flaw manifests as a username enumeration vulnerability that exploits differences in the login response behavior between valid and invalid user accounts. When an attacker attempts to authenticate with the system, the platform responds differently based on whether the username exists in the database. Valid usernames typically trigger a response that indicates the account exists but the password is incorrect, while invalid usernames may produce a different response pattern. This behavioral inconsistency provides attackers with a clear method to distinguish between legitimate and non-existent accounts without requiring any authentication credentials. The vulnerability operates at the application layer and specifically targets the authentication endpoint, making it particularly dangerous as it can be exploited through automated tools and scripts.
The operational impact of this vulnerability extends beyond simple account enumeration, creating a significant risk to the overall security infrastructure of institutions using the platform. Attackers can systematically test usernames against the login endpoint to build comprehensive lists of valid accounts, which can then be used for subsequent attacks including password spraying, credential stuffing, or targeted social engineering campaigns. The vulnerability essentially provides an attacker with a reconnaissance tool that can be used to map the user base of educational institutions, potentially exposing sensitive information about faculty, staff, and student populations. This enumeration capability undermines the fundamental security principle of keeping user account information confidential and can lead to cascading security issues when combined with other vulnerabilities or attack vectors.
Mitigation strategies for this vulnerability focus on implementing proper response normalization and authentication security measures. The patched version 4.2 addresses this issue by ensuring that all authentication attempts return consistent responses regardless of whether the username exists in the system. This approach aligns with security best practices outlined in the OWASP Authentication Cheat Sheet and follows the principle of consistent error handling. Organizations should also implement additional protective measures including rate limiting on authentication attempts, account lockout mechanisms, and monitoring for suspicious login patterns. The vulnerability demonstrates the importance of proper input validation and response handling in web applications, and its resolution serves as a reminder of the critical need for thorough security testing and validation of authentication mechanisms. This issue relates to CWE-200, which covers information exposure, and can be mapped to ATT&CK technique T1078 for valid accounts and T1566 for social engineering attacks that may leverage the enumerated information.