CVE-2026-24467

OpenAEV · OpenAEV

OpenAEV contains critical password reset vulnerabilities, including indefinite token validity and weak entropy, allowing unauthenticated remote attackers to perform full account takeovers.

Executive summary

An unauthenticated account takeover vulnerability in OpenAEV, stemming from flawed password reset logic, enables attackers to compromise any user account, including administrative accounts.

Vulnerability

The platform suffers from non-expiring password reset tokens and insufficient token complexity, enabling an unauthenticated attacker to brute-force tokens and reset any user's password. This flaw allows for reliable, scalable account takeover across the entire platform.

Business impact

This vulnerability carries a CVSS score of 9.0, reflecting its potential for total platform compromise. Successful exploitation grants attackers the ability to access sensitive findings, modify simulation payloads, and compromise all hosts managed by the platform agents, leading to massive data breaches and loss of control over adversary simulation infrastructure.

Remediation

Immediate Action: Upgrade all OpenAEV instances to version 2.0.13 immediately to resolve the password reset logic flaws.

Proactive Monitoring: Monitor authentication logs for high volumes of password reset requests or failed attempts, which may indicate automated brute-force activity against the reset mechanism.

Compensating Controls: Disable public access to the password reset endpoint if possible, or implement rate limiting and account lockout policies to thwart brute-force attempts.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability is highly critical due to the lack of required authentication and the ease of mass account takeover. Administrators must treat this as a high-priority patching task and ensure all instances are updated to version 2.0.13 to restore the integrity of the authentication process.