Open eClass, a comprehensive course management system formerly known as GUnet eClass, suffers from a session management vulnerability identified as CVE-2026-24667. The flaw lies in the platform's failure to invalidate active user sessions upon a password change in versions prior to 4.2. When a user changes their password, the system should revoke all existing session tokens to prevent continued access by potentially compromised sessions. However, due to insufficient session expiration controls (CWE-613), existing session tokens remain valid, allowing an attacker who has obtained or hijacked a session token prior to the password change to maintain unauthorized access to the user account. This vulnerability has a CVSS 3.1 base score of 5.0, reflecting medium severity, with the vector indicating network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and low impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The issue was reserved in January 2026 and published in February 2026, with a patch available in version 4.2 of Open eClass. The vulnerability primarily affects environments where older versions of Open eClass are deployed, particularly in educational institutions and organizations relying on this platform for course management and e-learning.

For European organizations, especially educational institutions and e-learning providers using Open eClass versions prior to 4.2, this vulnerability poses a risk of unauthorized persistent access to user accounts even after password changes. This can lead to unauthorized data exposure, manipulation of course content, or disruption of services. The impact on confidentiality is limited but non-negligible, as attackers can maintain access to user sessions. Integrity and availability impacts are also possible if attackers modify course data or disrupt user access. Since the vulnerability requires only low privileges and no user interaction, it could be exploited by insiders or attackers who have previously compromised session tokens. The risk is heightened in environments with weak session management policies or where password changes are a primary defense against account compromise. However, the absence of known exploits in the wild and the medium CVSS score suggest the threat is moderate but should not be underestimated.

European organizations should immediately upgrade Open eClass installations to version 4.2 or later, where the vulnerability is patched. In addition, organizations should implement strict session management policies, including forced session invalidation upon password changes or other critical account modifications. Monitoring and logging of session activities can help detect anomalous session reuse. Employing multi-factor authentication (MFA) can reduce the risk of session hijacking. Regularly auditing user sessions and enforcing session timeouts will further reduce exposure. For environments where immediate upgrade is not feasible, applying compensating controls such as manual session invalidation and enhanced user awareness about session security is recommended. Network segmentation and limiting access to the Open eClass platform can also reduce attack surface. Finally, organizations should stay informed about any emerging exploits targeting this vulnerability.