Password Reset Vulnerability in OPEXUS eComplaint and eCASE by OPEXUS
CVE-2026-32865

9.2CRITICAL

Key Information:

Vendor: Opexus
Status: Ecomplaint; Ecase
Vendor: CVE Published:; 19 March 2026

What is CVE-2026-32865?

OPEXUS eComplaint and eCASE versions before 10.1.0.0 are vulnerable to an issue where a secret verification code is included in the HTTP response during a password reset request. This allows attackers who have knowledge of a valid user’s email address to reset passwords without any additional security checks. Notably, existing security questions that could provide a layer of verification are bypassed in this process, increasing the risk of unauthorized account access.

Affected Version(s)

eCASE 0

eCASE 0 < 10.1.0.0

eComplaint 0

References

https://raw.githubusercontent.com/cisagov/CSAF/develop/cs...

https://www.cve.org/CVERecord?id=CVE-2026-32865

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2026
Vulnerability Reserved
Mar 16, 2026

Credit

Adam Rose, CISA

CVE-2026-32865 Data

JSON

Opexus

What is CVE-2026-32865?

Affected Version(s)

References

CVSS V4

Timeline

Credit