Skip to main content

Lightspeed Classroom EUVDEUVD-2026-25567

| CVE-2026-30368 MEDIUM
Incorrect Authorization (CWE-863)
2026-04-24 mitre
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 27, 2026 - 08:22 vuln.today
CVSS changed
Apr 27, 2026 - 08:22 NVD
5.4 (MEDIUM)
EUVD ID Assigned
Apr 24, 2026 - 16:00 euvd
EUVD-2026-25567
Analysis Generated
Apr 24, 2026 - 16:00 vuln.today
CVE Published
Apr 24, 2026 - 00:00 nvd
MEDIUM 5.4

DescriptionCVE.org

A client-side authorization flaw in Lightspeed Classroom v5.1.2.1763770643 allows unauthenticated attackers to impersonate users by bypassing integrity checks and abusing client-generated authorization tokens, leading to unauthorized control and monitoring of student devices.

AnalysisAI

Lightspeed Classroom v5.1.2.1763770643 contains a client-side authorization flaw that allows unauthenticated remote attackers to impersonate users and bypass integrity checks on client-generated authorization tokens, enabling unauthorized remote control and monitoring of student devices. The vulnerability requires high attack complexity and affects confidentiality and integrity with limited scope impact (CVSS 5.4). Despite a high CVSS score, the EPSS score of 0.03% indicates minimal real-world exploitation probability, suggesting this requires specific technical conditions or targeted attack scenarios rather than widespread automated exploitation.

Technical ContextAI

Lightspeed Classroom uses a client-side authorization mechanism that relies on client-generated tokens for authentication and access control decisions. The vulnerability stems from insufficient server-side validation of these tokens, classified as CWE-863 (Improper Authorization). The flaw allows attackers to forge or tamper with authorization tokens without server-side integrity verification, bypassing the intended access control boundaries. This is characteristic of client-side trust assumptions where security decisions are made on the client and not re-validated server-side, a common pattern in educational software where device management tokens are issued to student endpoints. The attack surface involves the token generation, transmission, and acceptance mechanisms between classroom management servers and student devices.

RemediationAI

Upgrade Lightspeed Classroom to a patched version released by Lightspeed after v5.1.2.1763770643. Contact Lightspeed support or check their security advisories for the exact fixed version number, as vendor patch data is not provided in this analysis. As an interim compensating control, restrict network access to Lightspeed Classroom servers to trusted instructor/admin networks only, blocking direct student device access to authentication endpoints if the architecture permits. Implement server-side token validation by requiring re-authentication of all authorization tokens server-side before granting device control or monitoring permissions, even if clients present valid tokens. Monitor for suspicious token-based access by logging all device control requests and cross-referencing token holders with expected user mappings; alert on mismatches. Disable remote device control features not actively in use during classroom sessions. Note that these compensating controls reduce functionality and may impact legitimate classroom operations; they are intended as temporary measures pending patching.

Share

EUVD-2026-25567 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy