CVE-2026-24467
Published: 20 April 2026
Description
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable…
more
account takeover. The primary issue is that password reset tokens do not expire. Once a token is generated, it remains valid indefinitely, even if significant time has passed or if newer tokens are issued for the same account. This allows an attacker to accumulate valid password reset tokens over time and reuse them at any point in the future to reset a victim’s password. A secondary weakness is that password reset tokens are only 8 digits long. While an 8-digit numeric token provides 100,000,000 possible combinations (which is secure enough), the ability to generate large numbers of valid tokens drastically reduces the required number of attempts to guess a valid password reset token. For example, if an attacker generates 2,000 valid tokens, the brute-force effort is reduced to approximately 50,000 attempts, which is a trivially achievable number of requests for an automated attack. (100 requests per second can mathematically find a valid password reset token in 500 seconds.) By combining these flaws, an attacker can mass-generate valid password reset tokens and then brute-force them efficiently until a match is found, allowing the attacker to reset the victim’s password to a value of their choosing. The original password is not required, and the attack can be performed entirely without authentication. This vulnerability enables full account takeover that leads to platform compromise. An unauthenticated remote attacker can reset the password of any registered user account and gain complete access without authentication. Because user email addresses are exposed to other users by design, a single guessed or observed email address is sufficient to compromise even administrator accounts with non-guessable email addresses. This design flaw results in a reliable and scalable account takeover vulnerability that affects any registered user account in the system. Note: The vulnerability does not require OpenAEV to have the email service configured. The exploit does not depend on the target email address to be a real email address. It just needs to be registered to OpenAEV. Successful exploitation allows an unauthenticated remote attacker to access sensitive data (such as the Findings section of a simulation), modify payloads executed by deployed agents to compromise all hosts where agents are installed (therefore the Scope is changed). Users should upgrade to version 2.0.13 to receive a fix.
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires managing authenticators with expiration, sufficient strength, and revocation procedures, directly preventing non-expiring short password reset tokens from enabling account takeover.
SI-2 mandates identification, reporting, and timely correction of system flaws, directly mitigating this CVE by requiring upgrades to patched versions like OpenAEV 2.0.13.
AC-7 limits consecutive invalid authentication attempts with lockout or delays, reducing the feasibility of brute-forcing accumulated valid password reset tokens.
Security SummaryAI
CVE-2026-24467 is a critical vulnerability in the password reset implementation of OpenAEV, an open source platform for planning, scheduling, and conducting cyber adversary simulation campaigns and tests. It affects versions 1.0.0 through 2.0.12. The core issues include password reset tokens that do not expire, remaining valid indefinitely even after time passes or newer tokens are issued, and tokens that are only 8 digits long. These flaws enable attackers to accumulate valid tokens over time and brute-force them efficiently, as generating thousands of tokens reduces the search space to a trivial number of attempts achievable via automation.
An unauthenticated remote attacker can exploit this vulnerability against any registered user account, including administrators, without requiring the original password or a configured email service—the attack only needs a registered email address, which are exposed to other users by design. By mass-generating valid tokens and brute-forcing until a match is found, the attacker resets the victim's password to one of their choosing, achieving full account takeover. This grants complete platform access, including sensitive data in simulation findings sections, and allows modification of payloads executed by deployed agents, enabling compromise of all hosts where those agents are installed and altering the simulation scope.
The official mitigation, as detailed in the GitHub security advisory (GHSA-vcjx-vw28-25p2) and release notes for version 2.0.13, is to upgrade to OpenAEV 2.0.13, which addresses the token expiration and generation weaknesses. The fixing commit (c09a4e71ea76d26fc28c9b51c76bca89a902df4f) and vulnerable code in UserApi.java are publicly available for review. The vulnerability is rated CVSS 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) and mapped to CWE-640 (Weak Password Recovery Mechanism for Forgotten Password).
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the public-facing password reset mechanism of OpenAEV enables unauthenticated remote exploitation (T1190) through brute-forcing short, non-expiring tokens to achieve account takeover.