CVE-2026-24467 Overview
CVE-2026-24467 is an authentication bypass vulnerability affecting OpenAEV, an open source platform designed for organizations to plan, schedule, and conduct cyber adversary simulation campaigns and tests. The vulnerability exists in OpenAEV's password reset implementation, which contains multiple security weaknesses that together enable reliable account takeover without authentication.
The primary flaw is that password reset tokens never expire—once generated, a token remains valid indefinitely regardless of time elapsed or whether newer tokens are issued for the same account. A secondary weakness compounds this issue: password reset tokens are only 8 digits long. While 100,000,000 combinations might seem adequate in isolation, the ability to accumulate valid tokens drastically reduces brute-force complexity. An attacker generating 2,000 valid tokens reduces the search space to approximately 50,000 attempts, achievable in roughly 500 seconds at 100 requests per second.
Critical Impact
Unauthenticated remote attackers can reset any registered user's password and gain complete platform access, including administrator accounts, leading to full platform compromise and potential host compromise through payload modification.
Affected Products
- OpenAEV versions 1.0.0 through 2.0.12
- openaev:openaev (all vulnerable versions)
Discovery Timeline
- 2026-04-20 - CVE-2026-24467 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-24467
Vulnerability Analysis
This vulnerability combines two distinct weaknesses in the password reset mechanism to create a reliable attack path. The non-expiring token design violates fundamental security principles for credential reset workflows—tokens should be single-use and time-limited to minimize the window of opportunity for exploitation. The implementation stores tokens without timestamp validation, allowing accumulated tokens to persist indefinitely in a valid state.
The 8-digit numeric token space interacts dangerously with the non-expiration flaw. Each legitimate password reset request creates another valid entry point for attackers. Over time, organizations with active user bases accumulate a growing pool of valid tokens. This transforms what should be a needle-in-a-haystack search into a progressively easier brute-force operation.
The attack requires no authentication and does not depend on email delivery—the exploit only requires knowledge of a registered email address. Since OpenAEV exposes user email addresses to other users by design, obtaining target email addresses is trivial. Successful exploitation grants attackers access to sensitive simulation data in the Findings section and the ability to modify payloads executed by deployed agents, potentially compromising all hosts running OpenAEV agents.
Root Cause
The root cause is a combination of CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) flaws in the password reset implementation. The UserApi.java endpoint lacks token expiration validation and utilizes an insufficiently complex token format. The security configuration in AppSecurityConfig.java permits unauthenticated access to the /api/reset/** endpoints, which is expected behavior but becomes dangerous when combined with the weak token implementation.
Attack Vector
The attack is network-based and can be executed entirely without authentication. An attacker follows this sequence:
- Identify a target user's registered email address (exposed by platform design)
- Repeatedly trigger password reset requests for the target account over time
- Accumulate a pool of valid, non-expiring tokens
- Execute an automated brute-force attack against the 8-digit token space
- Successfully reset the target's password using a matched token
- Gain complete access to the victim's account, including administrative functions if applicable
The security patch modified the application's security configuration to add proper controls:
/**/.antMatchers("/api/player/**").permitAll()
/**/.antMatchers("/api/settings").permitAll()
/**/.antMatchers("/api/login").permitAll()
+ /**/.antMatchers("/api/reset/**").permitAll()
/**/.antMatchers("/api/**").authenticated()
.and()
.logout()
Source: GitHub Commit Changes
The fix also introduced additional dependencies to support improved token handling:
<artifactId>commons-email</artifactId>
<version>1.5</version>
</dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-collections4</artifactId>
+ <version>4.4</version>
+ </dependency>
<dependency>
<groupId>org.flywaydb</groupId>
<artifactId>flyway-core</artifactId>
Source: GitHub Commit Changes
Detection Methods for CVE-2026-24467
Indicators of Compromise
- Unusual volume of password reset requests for individual user accounts
- Multiple failed password reset token validation attempts from single IP addresses
- Successful password resets for accounts where the legitimate user did not initiate the request
- Authentication from unexpected geographic locations following password reset activity
- Modification of simulation payloads or agent configurations without authorized change records
Detection Strategies
- Monitor /api/reset/** endpoints for high-frequency requests targeting specific email addresses
- Implement rate limiting alerts on password reset request volumes per account and per source IP
- Configure alerting for password reset token validation failures exceeding baseline thresholds
- Track authentication patterns to identify account access following anomalous reset activity
- Audit agent payload modifications for unauthorized changes correlating with recent account resets
Monitoring Recommendations
- Deploy web application firewall (WAF) rules to detect and block brute-force patterns against reset endpoints
- Establish baseline metrics for password reset request frequency and alert on statistical anomalies
- Enable detailed logging for all authentication-related API endpoints including reset operations
- Integrate OpenAEV logs with SIEM platforms for correlation with other suspicious network activity
- Implement user notification mechanisms for password reset requests to enable rapid victim awareness
How to Mitigate CVE-2026-24467
Immediate Actions Required
- Upgrade OpenAEV to version 2.0.13 or later immediately
- Audit recent password reset activity and authentication logs for signs of exploitation
- Force password resets for all user accounts as a precautionary measure after upgrading
- Review and revoke any suspicious API tokens or sessions that may have been established through compromised accounts
- Validate integrity of agent payloads and simulation configurations for unauthorized modifications
Patch Information
The vulnerability is fixed in OpenAEV version 2.0.13. The patch implements proper token expiration and strengthens the password reset mechanism. Organizations should upgrade by obtaining the release from the GitHub Release 2.0.13 page. The specific security fix can be reviewed in the GitHub Commit Changes. Additional details are available in the GitHub Security Advisory GHSA-vcjx-vw28-25p2.
Workarounds
- Implement network-level rate limiting on the /api/reset/** endpoints to slow brute-force attempts
- Restrict access to the password reset functionality through reverse proxy or firewall rules to trusted networks
- Monitor and block source IPs exhibiting password reset brute-force patterns
- Consider temporarily disabling password reset functionality if immediate patching is not possible
- Implement additional authentication factors where possible to reduce impact of password compromise
# Example nginx rate limiting configuration for password reset endpoints
limit_req_zone $binary_remote_addr zone=reset_limit:10m rate=5r/m;
location /api/reset/ {
limit_req zone=reset_limit burst=10 nodelay;
proxy_pass http://openaev_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
