Account Takeover Vulnerability in OpenAEV Platform
CVE-2026-24467

9.1CRITICAL

Key Information:

Vendor

Openaev-platform

Status
Openaev
Vendor
CVE Published:
20 April 2026

What is CVE-2026-24467?

The OpenAEV platform, a powerful tool for cyber adversary simulations, has a significant vulnerability in its password reset functionality. The flaw allows unauthorized access to user accounts due to persistent password reset tokens that do not expire. Attackers can exploit this design issue to generate a multitude of valid tokens, enabling them to brute-force attempts on user accounts without needing prior authentication. This vulnerability can lead to full account compromise, allowing unauthorized access to sensitive simulation data. Users are advised to upgrade to version 2.0.13 immediately to mitigate this risk.

Affected Version(s)

openaev >= 1.0.0, < 2.0.13

References

https://github.com/OpenAEV-Platform/openaev/security/advi...
x_refsource_CONFIRM
https://github.com/OpenAEV-Platform/openaev/commit/c09a4e...
x_refsource_MISC
https://github.com/OpenAEV-Platform/openaev/blob/82fa7d00...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.