CVE-2026-2997
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Tronclass developed by WisdomGarden has a Insecure Direct Object Reference vulnerability. After obtaining a course ID, authenticated remote attackers to modify a specific parameter to obtain a course invitation code, thereby joining any course.
AnalysisAI
Tronclass by WisdomGarden contains an insecure direct object reference flaw that allows authenticated attackers to bypass access controls and obtain course invitation codes by manipulating course ID parameters. An attacker exploiting this vulnerability can enroll in arbitrary courses without authorization. No patch is currently available for this medium-severity issue.
Technical ContextAI
Classified as CWE-639 (Authorization Bypass Through User-Controlled Key). Tronclass developed by WisdomGarden has a Insecure Direct Object Reference vulnerability. After obtaining a course ID, authenticated remote attackers to modify a specific parameter to obtain a course invitation code, thereby joining any course.
Affected ProductsAI
Tronclass developed by WisdomGarden has a Insecure Direct Object Reference vulnerability
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today