OpenAEV account takeover via password reset (CVE-2026-24467)

Patch now - CVE-2026-24467 is a critical account takeover in OpenAEV versions 1.0.0 through 2.0.12 that grants unauthenticated attackers full control of any user account, including administrators, via brute-forced password reset tokens. Exploitation requires only a target’s email address.

Overview

A critical vulnerability in the OpenAEV adversary simulation platform allows unauthenticated attackers to take over any user account, including administrator profiles. The flaw resides in the platform’s password reset mechanism, which contains two key weaknesses that, when combined, create a reliable path to full system compromise.

Vulnerability Details

The vulnerability, tracked as CVE-2026-24467, is present in OpenAEV versions 1.0.0 through 2.0.12. The primary issue is that password reset tokens never expire. Once generated, a token remains valid indefinitely, even if newer tokens are issued for the same account. This allows an attacker to accumulate a large number of valid tokens over time.

A secondary weakness is that these tokens are only 8 digits long. While this provides 100 million possible combinations, the ability to stockpile valid tokens drastically reduces the effort needed for a brute-force attack. For instance, generating 2,000 valid tokens reduces the search space to approximately 50,000 guesses-a trivial number for an automated script. By mass-generating tokens and then brute-forcing them, an attacker can reliably find a working token for any registered user.

Impact and Exploitation

Exploitation does not require authentication, knowledge of the original password, or a functional email system. An attacker only needs a target’s email address, which is exposed to other users by design within the platform. Successful exploitation grants the attacker complete control of the victim’s account.

For a platform designed to manage sensitive cyber simulation data, this is a severe breach. Attackers can access confidential findings, modify simulation payloads, and potentially use deployed agents to compromise connected hosts, fundamentally altering the security scope of the entire environment.

Remediation and Mitigation

The only complete remediation is to upgrade OpenAEV to version 2.0.13 or later, where the password reset tokens have been fixed to expire properly. Administrators should prioritize this update immediately.

If an immediate upgrade is not possible, organizations should consider restricting network access to the OpenAEV instance to trusted IP ranges as a temporary mitigation. However, this does not address the core vulnerability and should not be considered a substitute for patching.

Security Insight

This vulnerability highlights a recurring theme in application security: the compounding risk of seemingly minor design flaws. Non-expiring tokens are a known anti-pattern, but when combined with a brute-force-able token space, they create a critical, scalable attack vector. Similar to the LangChain, LangGraph Flaws Expose Files, Secrets, incident, it underscores that security tools themselves must be built with robust, defense-in-depth security principles to avoid becoming the very vulnerability they are meant to help discover.

Further Reading

• LangChain, LangGraph Flaws Expose Files, Secrets,
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• Nine CrackArmor Flaws in Linux AppArmor Enable Root
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs