Skip to main content

Openaev CVE-2026-24467

| EUVDEUVD-2026-23882 CRITICAL
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-04-20 security-advisories@github.com
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
Apr 25, 2026 - 18:00 nvd
Patch available
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Patch available
Apr 20, 2026 - 17:16 EUVD
Analysis Generated
Apr 20, 2026 - 16:24 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 16:22 euvd
EUVD-2026-23882
Analysis Generated
Apr 20, 2026 - 16:22 vuln.today
CVE Published
Apr 20, 2026 - 16:16 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable account takeover. The primary issue is that password reset tokens do not expire. Once a token is generated, it remains valid indefinitely, even if significant time has passed or if newer tokens are issued for the same account. This allows an attacker to accumulate valid password reset tokens over time and reuse them at any point in the future to reset a victim’s password. A secondary weakness is that password reset tokens are only 8 digits long. While an 8-digit numeric token provides 100,000,000 possible combinations (which is secure enough), the ability to generate large numbers of valid tokens drastically reduces the required number of attempts to guess a valid password reset token. For example, if an attacker generates 2,000 valid tokens, the brute-force effort is reduced to approximately 50,000 attempts, which is a trivially achievable number of requests for an automated attack. (100 requests per second can mathematically find a valid password reset token in 500 seconds.) By combining these flaws, an attacker can mass-generate valid password reset tokens and then brute-force them efficiently until a match is found, allowing the attacker to reset the victim’s password to a value of their choosing. The original password is not required, and the attack can be performed entirely without authentication. This vulnerability enables full account takeover that leads to platform compromise. An unauthenticated remote attacker can reset the password of any registered user account and gain complete access without authentication. Because user email addresses are exposed to other users by design, a single guessed or observed email address is sufficient to compromise even administrator accounts with non-guessable email addresses. This design flaw results in a reliable and scalable account takeover vulnerability that affects any registered user account in the system. Note: The vulnerability does not require OpenAEV to have the email service configured. The exploit does not depend on the target email address to be a real email address. It just needs to be registered to OpenAEV. Successful exploitation allows an unauthenticated remote attacker to access sensitive data (such as the Findings section of a simulation), modify payloads executed by deployed agents to compromise all hosts where agents are installed (therefore the Scope is changed). Users should upgrade to version 2.0.13 to receive a fix.

AnalysisAI

Account takeover in OpenAEV cyber adversary simulation platform (versions 1.0.0 through 2.0.12) allows remote unauthenticated attackers to reset any user's password via non-expiring 8-digit reset tokens. By mass-generating tokens (which never expire) and brute-forcing the small token space, attackers can reliably compromise administrator accounts within minutes, leading to full platform compromise including modification of payloads executed on all agent-deployed hosts. EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor-released patch available in version 2.0.13.

Technical ContextAI

OpenAEV is a Java-based platform for cyber adversary emulation campaigns. The vulnerability resides in the password reset implementation within the UserApi class (openaev-api module). The flaw combines two weaknesses per CWE-640 (Weak Password Recovery Mechanism for Forgotten Password): indefinite token validity (no expiration) and insufficient token entropy (8 decimal digits = ~26.6 bits). Standard security practice requires password reset tokens to expire within minutes and use cryptographically random 128+ bit values. The 8-digit token space (10^8 combinations) becomes trivially brute-forceable when multiple valid tokens can be accumulated. The GitHub commit reference (c09a4e71ea76d26fc28c9b51c76bca89a902df4f) shows the remediation introduced token expiration and likely increased token complexity. Critically, the vulnerability does not require a functioning email service-tokens can be generated for any registered username regardless of email deliverability, eliminating a common defense-in-depth control.

RemediationAI

Immediate upgrade to OpenAEV version 2.0.13 is required, available at github.com/OpenAEV-Platform/openaev/releases/tag/2.0.13. The fix commit (c09a4e71ea76d26fc28c9b51c76bca89a902df4f) implements token expiration and likely increases token entropy. Post-upgrade, force password resets for all accounts (especially administrators) as previously generated non-expiring tokens may still be valid until explicitly invalidated. If immediate patching is impossible, implement network-level rate limiting to password reset endpoints (limit to 10 requests per IP per hour) to make brute-force attacks impractical-note this is a weak compensating control as distributed attacks or slow-rate attacks remain viable. Consider temporarily restricting platform access to trusted IP ranges via firewall rules until patching is complete. Review authentication logs for suspicious password reset activity (multiple reset requests for single accounts, reset requests from unusual IP addresses). Since the platform manages adversary simulation agents with code execution capabilities on enterprise hosts, audit all payloads and agent configurations for unauthorized modifications that may have occurred if exploitation is suspected. No workaround fully mitigates this vulnerability; upgrade is mandatory.

Share

CVE-2026-24467 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy