CVE-2026-24467: CWE-640: Weak Password Recovery Mechanism for Forgotten Password in OpenAEV-Platform openaev
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable account takeover. The primary issue is that password reset tokens do not expire. Once a token is generated, it remains valid indefinitely, even if significant time has passed or if newer tokens are issued for the same account. This allows an attacker to accumulate valid password reset tokens over time and reuse them at any point in the future to reset a victim’s password. A secondary weakness is that password reset tokens are only 8 digits long. While an 8-digit numeric token provides 100,000,000 possible combinations (which is secure enough), the ability to generate large numbers of valid tokens drastically reduces the required number of attempts to guess a valid password reset token. For example, if an attacker generates 2,000 valid tokens, the brute-force effort is reduced to approximately 50,000 attempts, which is a trivially achievable number of requests for an automated attack. (100 requests per second can mathematically find a valid password reset token in 500 seconds.) By combining these flaws, an attacker can mass-generate valid password reset tokens and then brute-force them efficiently until a match is found, allowing the attacker to reset the victim’s password to a value of their choosing. The original password is not required, and the attack can be performed entirely without authentication. This vulnerability enables full account takeover that leads to platform compromise. An unauthenticated remote attacker can reset the password of any registered user account and gain complete access without authentication. Because user email addresses are exposed to other users by design, a single guessed or observed email address is sufficient to compromise even administrator accounts with non-guessable email addresses. This design flaw results in a reliable and scalable account takeover vulnerability that affects any registered user account in the system. Note: The vulnerability does not require OpenAEV to have the email service configured. The exploit does not depend on the target email address to be a real email address. It just needs to be registered to OpenAEV. Successful exploitation allows an unauthenticated remote attacker to access sensitive data (such as the Findings section of a simulation), modify payloads executed by deployed agents to compromise all hosts where agents are installed (therefore the Scope is changed). Users should upgrade to version 2.0.13 to receive a fix.
AI Analysis
Technical Summary
OpenAEV's password reset implementation prior to version 2.0.13 has multiple weaknesses: reset tokens never expire and are only 8-digit numeric codes. Attackers can generate many valid tokens over time and brute-force them efficiently, enabling unauthenticated remote password resets for any registered user. Since email addresses are exposed by design, attackers only need a registered email to exploit this. Successful exploitation results in full account takeover, allowing access to sensitive data and modification of payloads executed by agents, thus compromising all hosts where agents are installed. The vulnerability is present in cloud-hosted OpenAEV versions >=1.0.0 and <2.0.13. Users should upgrade to version 2.0.13 to remediate.
Potential Impact
An unauthenticated remote attacker can reset passwords for any registered user account, including administrators, without knowing the original password. This leads to full account takeover and platform compromise, exposing sensitive data and enabling modification of deployed agent payloads, which can compromise all hosts managed by the platform. The vulnerability affects all registered users due to exposed email addresses and the weak, non-expiring token mechanism.
Mitigation Recommendations
A patch is available in OpenAEV version 2.0.13 that addresses this vulnerability. Users of affected versions should upgrade to 2.0.13 to remediate the issue. Since this is a cloud-hosted service, the vendor manages remediation server-side; verify with the vendor advisory that the platform is updated accordingly.
CVE-2026-24467: CWE-640: Weak Password Recovery Mechanism for Forgotten Password in OpenAEV-Platform openaev
Description
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable account takeover. The primary issue is that password reset tokens do not expire. Once a token is generated, it remains valid indefinitely, even if significant time has passed or if newer tokens are issued for the same account. This allows an attacker to accumulate valid password reset tokens over time and reuse them at any point in the future to reset a victim’s password. A secondary weakness is that password reset tokens are only 8 digits long. While an 8-digit numeric token provides 100,000,000 possible combinations (which is secure enough), the ability to generate large numbers of valid tokens drastically reduces the required number of attempts to guess a valid password reset token. For example, if an attacker generates 2,000 valid tokens, the brute-force effort is reduced to approximately 50,000 attempts, which is a trivially achievable number of requests for an automated attack. (100 requests per second can mathematically find a valid password reset token in 500 seconds.) By combining these flaws, an attacker can mass-generate valid password reset tokens and then brute-force them efficiently until a match is found, allowing the attacker to reset the victim’s password to a value of their choosing. The original password is not required, and the attack can be performed entirely without authentication. This vulnerability enables full account takeover that leads to platform compromise. An unauthenticated remote attacker can reset the password of any registered user account and gain complete access without authentication. Because user email addresses are exposed to other users by design, a single guessed or observed email address is sufficient to compromise even administrator accounts with non-guessable email addresses. This design flaw results in a reliable and scalable account takeover vulnerability that affects any registered user account in the system. Note: The vulnerability does not require OpenAEV to have the email service configured. The exploit does not depend on the target email address to be a real email address. It just needs to be registered to OpenAEV. Successful exploitation allows an unauthenticated remote attacker to access sensitive data (such as the Findings section of a simulation), modify payloads executed by deployed agents to compromise all hosts where agents are installed (therefore the Scope is changed). Users should upgrade to version 2.0.13 to receive a fix.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenAEV's password reset implementation prior to version 2.0.13 has multiple weaknesses: reset tokens never expire and are only 8-digit numeric codes. Attackers can generate many valid tokens over time and brute-force them efficiently, enabling unauthenticated remote password resets for any registered user. Since email addresses are exposed by design, attackers only need a registered email to exploit this. Successful exploitation results in full account takeover, allowing access to sensitive data and modification of payloads executed by agents, thus compromising all hosts where agents are installed. The vulnerability is present in cloud-hosted OpenAEV versions >=1.0.0 and <2.0.13. Users should upgrade to version 2.0.13 to remediate.
Potential Impact
An unauthenticated remote attacker can reset passwords for any registered user account, including administrators, without knowing the original password. This leads to full account takeover and platform compromise, exposing sensitive data and enabling modification of deployed agent payloads, which can compromise all hosts managed by the platform. The vulnerability affects all registered users due to exposed email addresses and the weak, non-expiring token mechanism.
Mitigation Recommendations
A patch is available in OpenAEV version 2.0.13 that addresses this vulnerability. Users of affected versions should upgrade to 2.0.13 to remediate the issue. Since this is a cloud-hosted service, the vendor manages remediation server-side; verify with the vendor advisory that the platform is updated accordingly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-23T00:38:20.546Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69e6514819fe3cd2cd0f545b
Added to database: 4/20/2026, 4:16:08 PM
Last enriched: 4/20/2026, 4:31:20 PM
Last updated: 4/20/2026, 5:18:48 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.