Skip to main content

ClassroomIO CVE-2025-67259

| EUVDEUVD-2025-209575 MEDIUM
Improper Authorization (CWE-285)
2026-04-24 mitre
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 24, 2026 - 18:22 vuln.today
CVSS changed
Apr 24, 2026 - 18:22 NVD
6.5 (None) 6.5 (MEDIUM)
EUVD ID Assigned
Apr 24, 2026 - 15:30 euvd
EUVD-2025-209575
Analysis Generated
Apr 24, 2026 - 15:30 vuln.today
CVE Published
Apr 24, 2026 - 00:00 nvd
MEDIUM 6.5

DescriptionCVE.org

A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata.

AnalysisAI

Broken access control in ClassroomIO v0.1.13 allows authenticated low-privileged students to disclose sensitive course information including other students' details, tutor/admin profiles, and internal metadata by modifying API requests from POST to GET against the PostgREST endpoint. The vulnerability requires valid student account credentials but no special privileges, enabling unauthorized horizontal and vertical access escalation within course contexts.

Technical ContextAI

ClassroomIO uses a PostgREST API gateway (/rest/v1/course endpoint) to mediate database access. The vulnerability stems from improper HTTP method validation and insufficient authorization checks at the API layer. PostgREST is a PostgreSQL-to-REST bridge that auto-generates HTTP endpoints from database schema; when configured without proper role-based access controls, it permits unintended data exposure. The issue manifests when POST request constraints (intended for write operations) are bypassed by downgrading to GET requests, which retrieve data without enforcing the same authorization rules. CWE-285 (Improper Authorization) indicates the root cause is missing or incorrect authorization logic that fails to validate whether the authenticated user has permission to access requested resources.

RemediationAI

Implement strict HTTP method-based authorization at the PostgREST API layer by configuring role-based access controls (RLS policies in PostgreSQL) to enforce that GET requests against the /rest/v1/course endpoint respect the same authorization rules as POST requests. Specifically: (1) Upgrade ClassroomIO to a patched version once available from the upstream repository (current patch version not yet confirmed; monitor https://github.com/classroomio/classroomio/releases), (2) In the interim, apply a temporary mitigation by restricting GET access to the /rest/v1/course endpoint to administrative roles only via API gateway rules or reverse proxy configuration (trade-off: may break legitimate student read operations if relying on GET), (3) Audit existing course access logs to identify unauthorized data exposure, (4) Validate PostgREST role-based access control configuration to ensure student roles have view-only or no access to sensitive course metadata fields such as other students' PII and admin/tutor profile data. Detailed advisory available at the GitHub issue linked above.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2025-67259 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy