CVE-2026-24664 identifies a username enumeration vulnerability in the Open eClass platform, a comprehensive course management system widely used in academic environments. The vulnerability arises from observable response discrepancies during the login process in versions prior to 4.2. Specifically, when an attacker submits a login request with a username, the system's response behavior differs depending on whether the username exists or not. These differences can be timing variations, error messages, or other subtle response characteristics that allow an unauthenticated attacker to confirm valid usernames without needing credentials or user interaction. This type of vulnerability falls under CWE-204: Observable Response Discrepancy. Although it does not directly expose passwords or sensitive data, username enumeration is a critical reconnaissance step that can facilitate targeted brute force or phishing attacks. The vulnerability has a CVSS v3.1 base score of 5.3 (medium severity), reflecting its network attack vector, low attack complexity, no privileges required, and no user interaction needed. The issue was publicly disclosed in early 2026 and has been addressed in Open eClass version 4.2, which standardizes login responses to prevent enumeration. No known exploits are currently reported in the wild, but the vulnerability's presence in educational platforms makes it a notable risk for institutions relying on Open eClass for course management.

For European organizations, particularly educational institutions using Open eClass versions prior to 4.2, this vulnerability enables attackers to enumerate valid usernames remotely without authentication. This can lead to increased risk of targeted attacks such as credential stuffing, brute force password attempts, or social engineering campaigns against identified users. While the vulnerability does not directly compromise sensitive data or system integrity, the exposure of valid usernames undermines user privacy and can serve as a stepping stone for more severe attacks. The impact is heightened in environments where usernames correspond to real identities of students, faculty, or staff, potentially exposing them to phishing or identity theft. Additionally, enumeration can facilitate automated attacks that degrade system availability indirectly. Given the widespread use of Open eClass in European academic institutions, the vulnerability could affect a significant user base if unpatched. However, the lack of known active exploitation reduces immediate risk, though the medium severity rating warrants prompt remediation.

The primary and most effective mitigation is to upgrade Open eClass to version 4.2 or later, where the username enumeration vulnerability has been patched by normalizing login response behaviors. Organizations should audit their current Open eClass installations to identify affected versions and prioritize updates. In addition to patching, administrators can implement monitoring and alerting on login endpoints to detect unusual patterns indicative of enumeration attempts, such as rapid login failures or repeated requests with varying usernames from single IP addresses. Rate limiting and IP blacklisting can further reduce the risk of automated enumeration. Employing multi-factor authentication (MFA) can mitigate the impact of username disclosure by adding an additional layer of security. User education on phishing risks and secure password practices should complement technical controls. Finally, reviewing and minimizing information leakage in error messages and response times across all authentication interfaces is recommended to prevent similar enumeration issues.