CVE-2026-11552 Overview
CVE-2026-11552 is a hard-coded password vulnerability affecting SourceCodester Online Examination & Learning Management System and Syllabus-aligned Learning Management and Examination System version 1.0. The same product is distributed under two distinct names. The flaw resides in the import_users.php script, where the raw_password argument is set to the hard-coded value CICT_2026. An unauthenticated attacker can exploit the issue remotely. The exploit has been publicly disclosed, increasing the likelihood of opportunistic abuse against exposed instances. The weakness is classified under [CWE-255] (Credentials Management Errors).
Critical Impact
Any actor who knows the hard-coded password CICT_2026 can authenticate as imported users, leading to unauthorized account access across affected deployments.
Affected Products
- SourceCodester Online Examination & Learning Management System 1.0
- SourceCodester Syllabus-aligned Learning Management and Examination System 1.0
- Both names refer to the same distributed codebase
Discovery Timeline
- 2026-06-08 - CVE-2026-11552 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-11552
Vulnerability Analysis
The vulnerability exists in the user import workflow implemented in import_users.php. When the application provisions accounts through this import routine, it assigns the static string CICT_2026 to the raw_password field rather than generating a per-user secret or requiring a credential reset on first login. Because the password is embedded in source code, every imported account shares the same predictable credential.
An attacker reaching the login interface over the network can authenticate to any imported account by supplying CICT_2026. No prior authentication, user interaction, or special privilege is required. Successful login yields access to the targeted user's data and any application functions tied to that role, including instructor or administrative capabilities depending on which accounts were imported.
The issue is amplified by public disclosure of the exploit, which removes the cost of reverse engineering. Operators running either named distribution are equally affected because both ship the same import_users.php logic.
Root Cause
The root cause is the use of a hard-coded password literal inside server-side PHP code. The import routine fails to generate randomized credentials, prompt for a unique password, or enforce a forced password change on first login.
Attack Vector
Exploitation is performed remotely over the network against the application's authentication endpoint. The attacker enumerates usernames created through import_users.php and submits the known password CICT_2026 to gain access. The attack requires no privileges and no user interaction.
No verified proof-of-concept code is published in the references. See the VulDB entry for CVE-2026-11552 for additional disclosure details.
Detection Methods for CVE-2026-11552
Indicators of Compromise
- Successful authentication events using the password value CICT_2026 against accounts created by import_users.php.
- Repeated login attempts from a single source IP iterating through imported usernames.
- Session activity from imported accounts originating from unexpected geographic locations or hosting providers.
Detection Strategies
- Perform static review of import_users.php to confirm the presence of the CICT_2026 literal assigned to raw_password.
- Query the user database for rows where the stored password hash matches the hash of CICT_2026, which identifies accounts still using the default credential.
- Correlate web server access logs for POST requests to the login handler that immediately follow access to import endpoints.
Monitoring Recommendations
- Enable verbose authentication logging on the application and forward logs to a centralized SIEM for analysis.
- Alert on bulk successful logins across multiple accounts from a shared source within a short time window.
- Track first-login activity for imported users and flag sessions where the password has not been rotated.
How to Mitigate CVE-2026-11552
Immediate Actions Required
- Remove the hard-coded CICT_2026 value from import_users.php and replace it with a cryptographically random password generated per user.
- Force a password reset for every account previously created through the import workflow.
- Restrict access to the application's authentication endpoint to trusted networks until remediation is complete.
Patch Information
No vendor patch is referenced in the published advisory. Administrators should track the SourceCodester project resources and the VulDB vulnerability record #369162 for any subsequent fix. Until an official patch is released, source-level modification of import_users.php is required to eliminate the static credential.
Workarounds
- Modify the import logic to generate unique random passwords and deliver them through an out-of-band channel.
- Set a password_must_change flag on imported accounts so users are required to choose a new password at first login.
- Disable the import feature entirely if it is not in active use, and remove import_users.php from the web root.
# Identify accounts still using the hard-coded default by hashing the known value
# and comparing against stored hashes (adjust column and table names to your schema)
mysql -u root -p lms_db -e "SELECT id, username FROM users WHERE password = MD5('CICT_2026') OR password = SHA1('CICT_2026');"
# Force password reset on affected accounts
mysql -u root -p lms_db -e "UPDATE users SET force_password_change = 1 WHERE password IN (MD5('CICT_2026'), SHA1('CICT_2026'));"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
