The vulnerability identified as CVE-2026-2997 affects WisdomGarden's Tronclass educational platform. It is an instance of CWE-639, an authorization bypass caused by insecure direct object references (IDOR). Specifically, after an attacker authenticates, they can obtain a valid course ID and then modify a parameter in requests to retrieve the course invitation code for any course. This unauthorized access allows the attacker to join courses without legitimate enrollment or permission. The vulnerability arises because the application fails to properly verify that the authenticated user is authorized to access the requested course invitation code, relying instead on user-controlled input to identify the course. The CVSS 3.1 base score of 5.4 reflects that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), and requires privileges (PR:L) but no user interaction (UI:N). The impact affects confidentiality and integrity at a low level, as unauthorized users can access invitation codes and join courses, potentially exposing course content or disrupting course membership integrity. No availability impact is noted. The affected version is listed as 0, indicating an early or initial release of the product. No patches or known exploits have been reported at the time of publication. The vulnerability was assigned and published by TW-CERT on February 23, 2026.

Organizations using WisdomGarden's Tronclass platform are at risk of unauthorized course enrollment by authenticated users exploiting this vulnerability. This can lead to unauthorized access to potentially sensitive educational content, disruption of course management, and compromise of the integrity of course membership data. Educational institutions, training providers, and corporate learning environments relying on Tronclass could face confidentiality breaches of course materials and unauthorized participation in courses, which may affect intellectual property and privacy. While the vulnerability does not directly impact system availability, the integrity and confidentiality impacts could undermine trust in the platform and require costly remediation and user management efforts. The requirement for authenticated access limits exploitation to insiders or registered users, but the low complexity and network accessibility increase the risk within those user populations.

To mitigate this vulnerability, WisdomGarden should implement strict authorization checks on all requests involving course invitation codes, ensuring that users can only access invitation codes for courses they are legitimately enrolled in or authorized to join. Parameter validation should be enforced server-side to prevent manipulation of course IDs. Employing access control mechanisms such as role-based access control (RBAC) or attribute-based access control (ABAC) can help restrict access appropriately. Logging and monitoring access to course invitation codes can detect suspicious activity. Organizations should apply any patches or updates provided by WisdomGarden promptly once available. In the interim, administrators can restrict course invitation code visibility and limit enrollment permissions to trusted users. Conducting a security audit of the platform’s authorization logic and educating users about secure credential handling can further reduce risk.