CVE-2026-24468: CWE-204: Observable Response Discrepancy in OpenAEV-Platform openaev
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the system. When a non-existent email is provided in the login parameter, the endpoint returns an HTTP 400 response (Bad Request). When a valid email is supplied, the endpoint responds with HTTP 200. This difference in server responses creates an observable discrepancy that allows an attacker to reliably determine which emails are registered in the application. By automating requests with a list of possible email addresses, an attacker can quickly build a list of valid accounts without any authentication. The endpoint should return a consistent response regardless of whether the username exists in order to prevent account enumeration. Version 2.0.13 fixes this issue.
AI Analysis
Technical Summary
The OpenAEV-Platform's /api/reset endpoint exhibits an observable response discrepancy that enables account enumeration. Specifically, when a non-existent email is provided, the endpoint returns HTTP 400, whereas a valid email results in HTTP 200. This difference allows unauthenticated attackers to reliably identify registered emails by automating requests. The vulnerability affects versions from 1.11.0 up to but not including 2.0.13. The issue is classified under CWE-204 (Observable Response Discrepancy). The vendor fixed this behavior in version 2.0.13 by ensuring consistent responses regardless of username validity.
Potential Impact
An attacker can enumerate valid user accounts by analyzing the differing HTTP responses from the /api/reset endpoint without requiring authentication. This can facilitate further targeted attacks such as phishing or brute force attempts. There is no direct impact on confidentiality, integrity, or availability beyond the information disclosure of valid usernames.
Mitigation Recommendations
Upgrade OpenAEV-Platform to version 2.0.13 or later, where the /api/reset endpoint returns consistent responses regardless of username validity, preventing account enumeration. Patch status is confirmed by the vendor's versioning information. No other mitigations are specified.
CVE-2026-24468: CWE-204: Observable Response Discrepancy in OpenAEV-Platform openaev
Description
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the system. When a non-existent email is provided in the login parameter, the endpoint returns an HTTP 400 response (Bad Request). When a valid email is supplied, the endpoint responds with HTTP 200. This difference in server responses creates an observable discrepancy that allows an attacker to reliably determine which emails are registered in the application. By automating requests with a list of possible email addresses, an attacker can quickly build a list of valid accounts without any authentication. The endpoint should return a consistent response regardless of whether the username exists in order to prevent account enumeration. Version 2.0.13 fixes this issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The OpenAEV-Platform's /api/reset endpoint exhibits an observable response discrepancy that enables account enumeration. Specifically, when a non-existent email is provided, the endpoint returns HTTP 400, whereas a valid email results in HTTP 200. This difference allows unauthenticated attackers to reliably identify registered emails by automating requests. The vulnerability affects versions from 1.11.0 up to but not including 2.0.13. The issue is classified under CWE-204 (Observable Response Discrepancy). The vendor fixed this behavior in version 2.0.13 by ensuring consistent responses regardless of username validity.
Potential Impact
An attacker can enumerate valid user accounts by analyzing the differing HTTP responses from the /api/reset endpoint without requiring authentication. This can facilitate further targeted attacks such as phishing or brute force attempts. There is no direct impact on confidentiality, integrity, or availability beyond the information disclosure of valid usernames.
Mitigation Recommendations
Upgrade OpenAEV-Platform to version 2.0.13 or later, where the /api/reset endpoint returns consistent responses regardless of username validity, preventing account enumeration. Patch status is confirmed by the vendor's versioning information. No other mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-23T00:38:20.546Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e6514819fe3cd2cd0f5461
Added to database: 4/20/2026, 4:16:08 PM
Last enriched: 4/20/2026, 4:31:38 PM
Last updated: 4/20/2026, 5:23:47 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.