CVE-2026-24773 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Open eClass platform, a widely used course management system. Prior to version 4.2, the platform suffers from an Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated remote attackers to access personal files of other users by directly requesting resources using predictable user identifiers. This vulnerability occurs because the application fails to properly verify whether the requesting user is authorized to access the requested resource, relying instead on user-controlled keys that can be manipulated. The flaw enables attackers to enumerate or guess user IDs and retrieve sensitive personal data without any authentication or interaction. The CVSS v3.1 score of 7.5 reflects the high impact on confidentiality, with no impact on integrity or availability, and the ease of exploitation due to network accessibility and lack of required privileges. Although no known exploits are reported in the wild, the vulnerability poses a significant risk to user privacy and data security. The issue has been addressed and patched in Open eClass version 4.2, which implements proper authorization checks to prevent unauthorized access.

For European organizations, particularly educational institutions using Open eClass, this vulnerability can lead to unauthorized disclosure of personal and potentially sensitive information of students, faculty, and staff. Such data breaches can result in privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential legal consequences. The exposure of personal files could also facilitate further targeted attacks such as phishing or social engineering. Since the vulnerability does not affect data integrity or system availability, the primary concern is confidentiality. The ease of exploitation without authentication increases the risk of widespread data leakage. Organizations relying on versions prior to 4.2 must consider the risk of unauthorized data access and the implications for data protection obligations under European law.

The primary mitigation is to upgrade all Open eClass installations to version 4.2 or later, where the vulnerability has been patched. Organizations should immediately inventory their Open eClass deployments and prioritize patching. In addition, administrators should review and strengthen access control mechanisms to ensure that user identifiers cannot be exploited to access unauthorized data. Implementing logging and monitoring to detect unusual access patterns or repeated requests for different user IDs can help identify exploitation attempts. Network-level protections such as web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting user identifiers. Educating users and administrators about the risks of exposing predictable identifiers and enforcing the principle of least privilege in system design are also recommended. Finally, organizations should conduct regular security assessments and penetration testing to verify that authorization controls are effective.