A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged 'student' user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students' details, tutor/admin profiles, and internal course metadata.
This vulnerability has a CVSS base score of 6.5, which classifies it as medium severity. The attack vector is network-based, and the attack complexity is low, meaning that attackers may exploit this vulnerability with minimal effort. Confidentiality impact is rated high, allowing unauthorized access to sensitive information.
Risk to organizations includes potential data breaches and unauthorized information disclosure, which can lead to reputational damage and legal liabilities. Organizations should prioritize patching immediately.
Currently, there is no known exploit available, and the vulnerability status is deferred. However, organizations should remain vigilant as the situation may change.
The urgency for defenders is to schedule remediation as soon as possible to prevent exploitation of this vulnerability.
Vulnerability Details
The official CVE description states: A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged 'student' user can access unauthorized course-level information by modifying intercepted API requests.
This vulnerability is classified under CWE-284 (Improper Access Control) and CWE-285 (Improper Authorization).
The CVSS score of 6.5 indicates a medium severity level, meaning that while the vulnerability is not critical, it poses a significant risk that should be addressed promptly.
The vulnerability was published on April 24, 2026.
Technical Analysis
The root cause of this vulnerability lies in the improper access control mechanisms implemented within ClassroomIO, allowing low-privileged users to gain access to sensitive information. Attackers may exploit this vulnerability by intercepting API requests and modifying them to access unauthorized data.
The attack vector is network-based, and the complexity is low, indicating that an attacker does not require advanced skills to exploit this vulnerability. Privileges required are low, as the attacker must only have a student user account. User interaction is not required, making this vulnerability particularly concerning.
The confidentiality impact is high, as attackers may gain access to sensitive information, including details about other students and tutor/admin profiles. Integrity and availability impacts are both rated as none, indicating that the vulnerability does not affect the data's integrity or system availability.
Risk & Impact Analysis
Real-world deployment of this vulnerability in ClassroomIO poses significant risks. The ability for low-privileged users to access sensitive information can lead to data leaks and compromise user privacy. Organizations utilizing ClassroomIO must consider the potential blast radius; if exploited, unauthorized access could extend to all users and their associated data.
The urgency assessment based on the CVSS score indicates that organizations should address this vulnerability in their priority patch cycle. Failure to do so may result in unauthorized access and data breaches, which can have serious consequences.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
ClassroomIO version 0.1.13 is affected by this vulnerability. Organizations using this version should prioritize applying updates or patches.
Mitigation & Remediation
Organizations should apply the latest patches provided by ClassroomIO to remediate this vulnerability. If a patch is not yet available, consider implementing access controls that limit the ability of low-privileged users to modify API requests.
For further guidance on security measures and penetration testing, organizations can explore penetration testing services.
Detection Guidance
Organizations should monitor for unusual API request patterns that deviate from expected behaviors. Log indicators of unauthorized access attempts, and be vigilant for any behavioral anomalies that could signify exploitation.
AppSecure Threat Intelligence Insight
The long-term significance of this vulnerability reveals the importance of robust access controls in web applications. It illustrates how low-privileged users can exploit weaknesses to access sensitive data, highlighting the need for continuous security assessments.
Organizations must prioritize implementing secure coding practices to prevent similar vulnerabilities. Regular audits and security assessments can help identify and remediate weaknesses before they can be exploited.
For more insights on web application security, organizations can refer to the following resources: Web Application Penetration Testing, Vulnerability Management Program Design, and Penetration Testing Methodology.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)