CVE-2026-24467 - Vulnerability Analysis
CriticalCVSS: 9.0Last Updated: April 20, 2026
OpenAEV - Authentication Bypass
Overview
OpenAEV < 2.0.13 contains a broken authentication caused by non-expiring and short password reset tokens, letting unauthenticated remote attackers reset any user's password and take over accounts, exploit requires no authentication.
Severity & Score
Impact
Unauthenticated attackers can reset any user's password, leading to full account takeover and platform compromise.
Mitigation
Upgrade to version 2.0.13 or later.
References
- https://github.com/OpenAEV-Platform/openaev/blob/82fa7d0009017110c9b509d0dc1b3a78164259dd/openaev-api/src/main/java/io/openaev/rest/user/UserApi.java#L120
- https://github.com/OpenAEV-Platform/openaev/commit/c09a4e71ea76d26fc28c9b51c76bca89a902df4f
- https://github.com/OpenAEV-Platform/openaev/releases/tag/2.0.13
- https://github.com/OpenAEV-Platform/openaev/security/advisories/GHSA-vcjx-vw28-25p2
Social Media Activity(6 posts)
š“ CVE-2026-24467 - Critical (9) OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple... š https://www.thehackerwire.com/vulnerability/CVE-2026-24467/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postš“ CVE-2026-24467 - Critical (9) OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple... š https://www.thehackerwire.com/vulnerability/CVE-2026-24467/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postš“ CVE-2026-24467 - Critical (9) OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple... š https://www.thehackerwire.com/vulnerability/CVE-2026-24467/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-24467 - Critical (9) OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple... š https://www.thehackerwire.com/vulnerability/CVE-2026-24467/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postš“ CVE-2026-24467 - Critical (9) OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple... š https://www.thehackerwire.com/vulnerability/CVE-2026-24467/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postš“ CVE-2026-24467 - Critical (9) OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple... š https://www.thehackerwire.com/vulnerability/CVE-2026-24467/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-24467
- Severity
- Critical
- CVSS Score
- 9.0
- Type
- broken_authentication
- Status
- unconfirmed
- EPSS
- 0.0%
- Social Posts
- 6
CWE
- CWE-640
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H