CVE-2026-24670
📋 TL;DR
CVE-2026-24670 is a broken access control vulnerability in Open eClass (formerly GUnet eClass) that allows authenticated students to create new course units, a privilege normally reserved for higher-privileged roles like instructors or administrators. This affects all Open eClass installations prior to version 4.2. The vulnerability enables privilege escalation within the learning management system.
💻 Affected Systems
- Open eClass (formerly GUnet eClass)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Students could create malicious course units containing harmful content, disrupt course structures, or create units that appear legitimate but contain inappropriate material, potentially compromising the integrity of the entire educational platform.
Likely Case
Students create unauthorized course units for personal use, academic dishonesty, or minor disruption of course organization, leading to administrative overhead and confusion in course management.
If Mitigated
With proper monitoring and role-based access controls, unauthorized unit creation would be quickly detected and reverted, causing minimal disruption before remediation.
🎯 Exploit Status
Exploitation requires only a student account and knowledge of the course unit creation functionality. No special tools or advanced techniques are needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2
Vendor Advisory: https://github.com/gunet/openeclass/security/advisories/GHSA-4jf5-636r-hv9v
Restart Required: Yes
Instructions:
1. Backup your current Open eClass installation and database
2. Download Open eClass version 4.2 or later from the official repository
3. Replace the existing installation files with the new version
4. Run any database migration scripts included with the update
5. Restart your web server and verify functionality
🔧 Temporary Workarounds
Temporary Role Restriction
allManually adjust student role permissions to remove course unit creation capabilities
# Requires database access to modify role permissions
# Check Open eClass documentation for specific permission tables
🧯 If You Can't Patch
- Implement strict monitoring of course unit creation events in system logs
- Regularly audit course structures and remove unauthorized units created by student accounts
🔍 How to Verify
Check if Vulnerable:
Test with a student account if it can create new course units through the web interface or APICheck Version:
Check the version in the Open eClass admin panel or look for version files in the installation directoryVerify Fix Applied:
After upgrading to version 4.2, verify that student accounts can no longer create course units📡 Detection & Monitoring
Log Indicators:
- Unexpected course unit creation events from student accounts
- Multiple course unit creation attempts in short timeframes
Network Indicators:
- HTTP POST requests to course unit creation endpoints from student accounts
SIEM Query:
source="openeclass_logs" AND event="course_unit_created" AND user_role="student"