Account Enumeration Vulnerability in OpenAEV by OpenAEV Platform
CVE-2026-24468

5.3MEDIUM

Key Information:

Vendor

Openaev-platform

Status
Openaev
Vendor
CVE Published:
20 April 2026

What is CVE-2026-24468?

The OpenAEV platform contains a flaw in its /api/reset endpoint that allows attackers to identify registered email addresses based on inconsistent server responses. When a non-existent email is provided, the server returns a 400 Bad Request error, while a valid email generates a 200 OK response. This discrepancy enables attackers to automate requests with possible email addresses and confirm their existence without needing any form of authentication. To mitigate this vulnerability, the endpoint should standardize its responses, thereby preventing unauthorized disclosure of account information. The issue was resolved in version 2.0.13.

Affected Version(s)

openaev >= 1.11.0, < 2.0.13

References

https://github.com/OpenAEV-Platform/openaev/security/advi...
x_refsource_CONFIRM
https://github.com/OpenAEV-Platform/openaev/commit/3430fe...
x_refsource_MISC
https://github.com/OpenAEV-Platform/openaev/blob/82fa7d00...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.