CVE-2026-24664 identifies a username enumeration vulnerability in the Open eClass platform, a comprehensive course management system widely used in academic environments. The vulnerability exists in versions prior to 4.2 and stems from observable response discrepancies during the login process. Specifically, when an attacker submits a login request with a username, the system's response behavior differs depending on whether the username exists or not, allowing attackers to confirm valid usernames without authentication or user interaction. This type of vulnerability is classified under CWE-204 (Observable Response Discrepancy). Although it does not directly expose passwords or other sensitive data, enumerating valid usernames can facilitate further targeted attacks such as password guessing, phishing, or social engineering. The vulnerability has been assigned a CVSS v3.1 base score of 5.3, indicating a medium severity level due to its network attack vector, low attack complexity, and no required privileges or user interaction, but limited impact confined to confidentiality of user existence information. No known exploits are currently reported in the wild. The issue was publicly disclosed and patched in version 4.2 of Open eClass, which addresses the response discrepancy to prevent username enumeration. Organizations still running earlier versions remain vulnerable and should prioritize patching.

For European organizations, particularly educational institutions using Open eClass, this vulnerability poses a moderate risk. The ability to enumerate valid usernames can aid attackers in crafting more effective credential stuffing, brute force, or phishing campaigns targeting students, faculty, or staff. While the vulnerability does not directly compromise passwords or system integrity, it lowers the barrier for attackers to identify legitimate accounts, increasing the likelihood of successful subsequent attacks. This can lead to unauthorized access, data leakage, or disruption of educational services if combined with other vulnerabilities or weak password policies. The impact is primarily on confidentiality of user identity information and indirectly on overall security posture. Given the widespread use of Open eClass in European academia, the threat is relevant, especially where patch management is delayed or where multi-factor authentication is not enforced.

The primary mitigation is to upgrade all Open eClass installations to version 4.2 or later, where the vulnerability has been fixed. In addition, organizations should implement monitoring and alerting on login endpoints to detect abnormal login attempts or enumeration patterns, such as rapid sequential username testing. Rate limiting login requests and implementing account lockout policies after multiple failed attempts can reduce the risk of automated enumeration and brute force attacks. Enforcing strong password policies and deploying multi-factor authentication (MFA) will further mitigate risks arising from username enumeration. Security teams should also conduct regular audits of user accounts and educate users about phishing risks. Network-level protections such as web application firewalls (WAFs) can be configured to detect and block suspicious login behavior indicative of enumeration attempts.