Perceptive Security
SOC/SIEM Consultancy
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0…
Published:
19 April 2026 at 22:00:00
Alert date:
20 April 2026 at 17:02:28
Source:
nvd.nist.gov
Identity & Access, Security Tools
OpenAEV versions 1.0.0 to 2.0.12 contain critical password reset vulnerabilities that enable account takeover. Password reset tokens never expire and are only 8 digits long, allowing attackers to accumulate valid tokens over time and brute-force them efficiently. Attackers can generate thousands of valid tokens and brute-force them in approximately 500 seconds at 100 requests per second. The vulnerability affects all registered user accounts including administrators and can lead to full platform compromise. Email addresses are exposed by design, making any registered account vulnerable. Successful exploitation allows access to sensitive simulation data and modification of payloads on deployed agents.
Technical details
Mitigation steps:
Affected products:
OpenAEV
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-24467
https://github.com/OpenAEV-Platform/openaev/blob/82fa7d0009017110c9b509d0dc1b3a78164259dd/openaev-api/src/main/java/io/openaev/rest/user/UserApi.java#L120
https://github.com/OpenAEV-Platform/openaev/commit/c09a4e71ea76d26fc28c9b51c76bca89a902df4f
https://github.com/OpenAEV-Platform/openaev/releases/tag/2.0.13
https://github.com/OpenAEV-Platform/openaev/security/advisories/GHSA-vcjx-vw28-25p2
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.