ClassroomIO CVE-2025-67259

| EUVD-2025-209575 MEDIUM
Improper Authorization (CWE-285)
2026-04-24 mitre
Authentication Bypass N A
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 24, 2026 - 18:22 vuln.today
CVSS changed
Apr 24, 2026 - 18:22 NVD
6.5 (None) 6.5 (MEDIUM)

DescriptionNVD

A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata.

AnalysisAI

Broken access control in ClassroomIO v0.1.13 allows authenticated low-privileged students to disclose sensitive course information including other students' details, tutor/admin profiles, and internal metadata by modifying API requests from POST to GET against the PostgREST endpoint. The vulnerability requires valid student account credentials but no special privileges, enabling unauthorized horizontal and vertical access escalation within course contexts.

Technical ContextAI

ClassroomIO uses a PostgREST API gateway (/rest/v1/course endpoint) to mediate database access. The vulnerability stems from improper HTTP method validation and insufficient authorization checks at the API layer. PostgREST is a PostgreSQL-to-REST bridge that auto-generates HTTP endpoints from database schema; when configured without proper role-based access controls, it permits unintended data exposure. The issue manifests when POST request constraints (intended for write operations) are bypassed by downgrading to GET requests, which retrieve data without enforcing the same authorization rules. CWE-285 (Improper Authorization) indicates the root cause is missing or incorrect authorization logic that fails to validate whether the authenticated user has permission to access requested resources.

RemediationAI

Implement strict HTTP method-based authorization at the PostgREST API layer by configuring role-based access controls (RLS policies in PostgreSQL) to enforce that GET requests against the /rest/v1/course endpoint respect the same authorization rules as POST requests. Specifically: (1) Upgrade ClassroomIO to a patched version once available from the upstream repository (current patch version not yet confirmed; monitor https://github.com/classroomio/classroomio/releases), (2) In the interim, apply a temporary mitigation by restricting GET access to the /rest/v1/course endpoint to administrative roles only via API gateway rules or reverse proxy configuration (trade-off: may break legitimate student read operations if relying on GET), (3) Audit existing course access logs to identify unauthorized data exposure, (4) Validate PostgREST role-based access control configuration to ensure student roles have view-only or no access to sensitive course metadata fields such as other students' PII and admin/tutor profile data. Detailed advisory available at the GitHub issue linked above.

Share

CVE-2025-67259 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy