HIGH 7.3

CVE-2026-10167: Authentication Bypass in BrinaryBrains School Management System

A flaw in the OUSL-GROUP-BrinaryBrains School Student Management System allows attackers to bypass authentication by manipulating role parameters during login cookie creation. An attacker can remotely exploit this without requiring special privileges or user interaction, potentially gaining unauthorized access to the system. Proof-of-concept code has been publicly released, increasing the risk of real-world exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-287
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. This impacts the function sign_auth_cookie of the file application/controllers/Login.php of the component MY_Controller. Executing a manipulation of the argument role can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the sign_auth_cookie function within application/controllers/Login.php of the MY_Controller component. Improper validation of the role argument during authentication cookie generation (CWE-287: Improper Authentication) allows an attacker to tamper with role assignments. The system uses rolling releases without fixed version numbers, making it difficult to precisely identify affected or patched builds. The flaw is remotely exploitable and requires no authentication or user interaction to trigger.

Business impact

Educational institutions relying on this system face direct threats to student record confidentiality, data integrity, and system availability. Unauthorized access via authentication bypass could allow attackers to view or modify student grades, personal information, and enrollment records. The combination of public exploit availability and the system's use in educational settings means attack surface is broad and motivation among threat actors is high. For administrators, this creates immediate compliance risks under FERPA and similar educational data protection regulations.

Affected systems

OUSL-GROUP-BrinaryBrains School Student Management System up to commit 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 is affected. The product uses rolling releases rather than traditional versioning, so administrators cannot rely on specific version numbers to determine exposure. Any deployment of this system at or prior to the specified commit is potentially vulnerable. Verify your deployment's commit hash against the provided reference to assess coverage.

Exploitability

Exploitability is high: the attack is remotely triggered over the network, requires no authentication to initiate, needs no user interaction, and carries no special complexity. Public exploit code has been released, dramatically lowering the barrier to weaponization. Threat actors can begin attacks immediately without reverse-engineering or developing custom tools. The CVSS 3.1 score of 7.3 (HIGH) reflects this accessible attack surface combined with meaningful impact to confidentiality, integrity, and availability.

Remediation

Contact OUSL-GROUP immediately to confirm patch status and obtain an updated build beyond the vulnerable commit hash. Given the rolling-release model, request specific build identifiers or commit hashes that remediate CVE-2026-10167. If no patch is available, implement network-level controls: restrict administrative access to the login function, enforce IP whitelisting for authentication endpoints, and monitor for suspicious role manipulation attempts in logs. Consider deploying a Web Application Firewall (WAF) to detect and block role parameter tampering patterns.

Patch guidance

Verify with the vendor whether a patched commit or release is available. Given the rolling-release approach, documentation from OUSL-GROUP should specify the minimum safe commit hash or build identifier. Update your deployment to the patched commit, then validate that the sign_auth_cookie function properly validates and sanitizes the role argument. Test authentication workflows thoroughly post-update, including multi-role user accounts, to ensure legitimate access is not disrupted.

Detection guidance

Monitor authentication logs for unusual role assignments, particularly escalations to administrative or privileged roles from untrusted sources. Inspect HTTP requests to the login endpoint for tampered or unexpected role values in cookies or POST parameters. Implement alerting for successful authentications immediately followed by privilege escalation or anomalous data access patterns. Web Application Firewall logs should flag attempts to inject or modify role values during the authentication handshake. Additionally, review login controller source code changes to confirm patched versions include explicit role validation and sanitization.

Why prioritize this

This vulnerability merits immediate attention due to four converging factors: (1) direct authentication bypass enabling unauthorized system access; (2) public exploit availability accelerating attack likelihood; (3) deployment in educational settings handling sensitive student data; and (4) vendor non-responsiveness suggesting prolonged exposure. Organizations running this system should prioritize patching or implementing compensating controls within days, not weeks.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) reflects a remotely exploitable, unauthenticated attack with no user interaction required (AV:N/AC:L/PR:N/UI:N). Impact to confidentiality, integrity, and availability is rated as LOW individually but collectively significant for a school management context. The public availability of exploit code and the vendor's lack of response amplify real-world risk beyond the base CVSS, warranting elevated prioritization in remediation queues.

Frequently asked questions

Why doesn't the vendor have specific version numbers?

OUSL-GROUP uses a rolling-release model for continuous delivery. This means patches are deployed as commits to a main branch rather than discrete versioned releases. To determine if you are affected, compare your deployed commit hash against the vulnerable commit (1e70e5ad1125b86dca4ee086eb6bb121f17708b6) provided in the advisory.

Can this be exploited without network access?

No. The vulnerability is remotely exploitable (AV:N in CVSS), meaning an attacker need only send crafted authentication requests over the network. No physical access or local system presence is required.

What data is at immediate risk?

Student records stored in the system—including grades, personal information, enrollment details, and potentially other educational data—are at risk of unauthorized access, modification, or exfiltration if an attacker successfully manipulates their role during login.

Has the vendor released a fix?

As of the advisory publication, the vendor has not responded to the early notification. Check the official OUSL-GROUP repository or contact them directly to confirm whether a patch commit has been released post-publication.

This analysis is provided for informational purposes only and does not constitute legal or professional advice. SEC.co makes no warranty regarding the accuracy or completeness of vendor information, patch availability, or deployment timelines. Organizations should verify all technical details, patch status, and compatibility independently before deployment. Patch version numbers, affected product lists, and remediation guidance are based on public vendor advisories and may change. Consult your security team and vendor advisories before implementing any remediation steps. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).