CVE-2026-10169: Weak Password Recovery in OUSL-GROUP-BrinaryBrains School Management System
A weakness in the password recovery feature of OUSL-GROUP-BrinaryBrains School Student Management System allows an attacker to manipulate the email parameter in the forgot password function, potentially leading to unauthorized password resets or account takeover. The vulnerability exists in the Login.php controller's ajax_forgot_password endpoint. While exploitable remotely, the attack requires specific conditions and is considered of low severity. Exploit code is publicly available, increasing risk of opportunistic attacks.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.7 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-640
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-31 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected by this vulnerability is the function ajax_forgot_password of the file application/controllers/Login.php of the component Forgot Password Endpoint. The manipulation of the argument email results in weak password recovery. The attack can be launched remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10169 is a weak password recovery vulnerability (CWE-640) in the ajax_forgot_password function of application/controllers/Login.php within OUSL-GROUP-BrinaryBrains School Student Management System. The flaw stems from insufficient validation or cryptographic safeguards on the email parameter, enabling attackers to bypass or manipulate password recovery mechanisms. The affected product does not use semantic versioning; the vulnerability has been identified in commits up to hash 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. The CVSS v3.1 score of 3.7 reflects low integrity impact with high attack complexity, though public exploit availability increases practical risk.
Business impact
Student information systems managing enrollment, grades, and academic records are potential targets. Compromised educator or administrator accounts could lead to unauthorized access to sensitive student data (FERPA-protected in the US), grade tampering, or disruption of academic operations. The impact is primarily integrity-focused rather than availability-driven. Institutions relying on this system should assess data sensitivity and regulatory obligations governing educational records.
Affected systems
OUSL-GROUP-BrinaryBrains School Student Management System is affected up to the commit hash 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. No version numbers are officially released for this product. The vendor has not yet responded to early disclosure notifications. Organizations should verify their deployment status directly with the project or by inspecting their installed commit hash.
Exploitability
The vulnerability is remotely exploitable without authentication. However, successful exploitation requires high attack complexity—meaning an attacker must satisfy non-trivial preconditions such as crafting specific email payloads or exploiting timing windows in the password recovery workflow. Public exploit code now exists, lowering the barrier for less sophisticated attackers. Nevertheless, widespread mass exploitation is unlikely due to attack complexity constraints.
Remediation
Engage with the OUSL-GROUP-BrinaryBrains project to obtain a patched version or commit hash that remediates the weak password recovery logic. Remediation should include: robust input validation on email parameters, implementation of time-limited and cryptographically secure password reset tokens, rate limiting on password recovery requests, and logging of recovery attempts. Until a fix is available, consider implementing Web Application Firewall (WAF) rules to restrict suspicious patterns in forgot-password requests.
Patch guidance
The vendor has not yet released an official patch. Monitor the project repository and advisory channels for updates. When available, patches should address email parameter validation and token generation in the password recovery endpoint. Test patches in a non-production environment before deployment. Given the educational nature of the system, coordinate patching with academic calendars to minimize disruption. Contact the vendor directly to understand their remediation timeline and interim mitigations.
Detection guidance
Monitor access logs for unusual patterns in the /ajax_forgot_password endpoint, including repeated requests with varying email parameters, requests from anomalous geographic locations, or requests followed by suspicious login activity. Implement intrusion detection rules targeting CWE-640 weak recovery patterns. Log all password recovery requests with timestamps, source IPs, and email addresses targeted. Alert on high request rates to the forgot-password endpoint or on recovery tokens used outside normal time windows.
Why prioritize this
Despite the LOW CVSS score, this vulnerability warrants attention because it affects a school management system handling sensitive student and staff data. Educational institutions face regulatory compliance obligations (FERPA, state privacy laws) regarding record security. Public exploit availability elevates practical risk. However, the high attack complexity means this is not an emergency—prioritize after patching higher-severity vulnerabilities, but address within standard patching cycles to maintain defense-in-depth posture.
Risk score, explained
The CVSS v3.1 score of 3.7 (LOW) reflects: remote network accessibility (AV:N), high attack complexity (AC:H) requiring specific conditions, no privilege or user interaction required (PR:N/UI:N), limited scope (S:U), negligible confidentiality impact (C:N), low integrity impact (I:L) via potential account takeover, and no availability impact (A:N). The score appropriately captures the technical difficulty of exploitation. However, context matters: educational data sensitivity and public exploit availability suggest organizations should not delay remediation solely based on CVSS alone.
Frequently asked questions
What is CWE-640 and why does it matter here?
CWE-640 is 'Weak Password Recovery Mechanism for Forgotten Password.' It describes systems that fail to properly validate or secure the password recovery flow, allowing attackers to reset accounts they don't own. In a school system, this could allow compromise of educator or administrator accounts, leading to unauthorized access to student records or grade manipulation.
Why is the attack complexity rated as 'HIGH' if this is remotely exploitable?
High attack complexity means an attacker must satisfy non-standard conditions—for example, crafting malformed email payloads, exploiting race conditions, or timing attacks around token generation. This is harder than a simple network request. However, public exploit code now exists, so attackers no longer have to research these conditions independently.
The vendor hasn't responded—what should our school do now?
First, verify your installed commit hash against the vulnerable version. Consider interim controls: enable WAF rules on the forgot-password endpoint, enforce rate limiting, and monitor for suspicious recovery attempts. Document the vulnerability in your risk register. Reach out to the vendor through multiple channels (GitHub issues, support email, security contact). Plan a migration or upgrade path if the vendor remains unresponsive.
Is this on the KEV catalog?
No, CVE-2026-10169 is not currently on CISA's Known Exploited Vulnerabilities (KEV) catalog. While public exploits exist, KEV inclusion typically follows documented active exploitation in the wild by threat actors. Monitor KEV status changes, as this could shift prioritization.
This analysis is based on publicly available vulnerability data as of the publication date. SEC.co makes no warranties regarding the completeness, accuracy, or applicability of this information to any specific environment. Organizations must independently verify affected versions, patch availability, and compatibility with their infrastructure. Consult the official vendor advisory and your organization's security and compliance teams before implementing remediation steps. Public exploit existence does not guarantee successful exploitation in all environments; attack success depends on specific deployment configurations and defensive controls in place. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-35676HIGHphpMyFAQ Unauthenticated Password Reset Vulnerability
- CVE-2024-42206LOWHCL iReflection Third-Party Component Vulnerability
- CVE-2025-48616LOWAndroid Lockdown Bypass via Screen Pinning Logic Error
- CVE-2025-52608LOWHCL iControl Missing Cookie Attributes Vulnerability
- CVE-2025-52609LOWHCL iControl Missing Security Headers XSS Vulnerability
- CVE-2025-52611LOWHCL iControl Stack Trace Disclosure (v4.0.0)
- CVE-2025-62338LOWHCL BigFix CLM Input Validation Flaw – Information Disclosure Risk
- CVE-2026-0016LOWAndroid Credential Manager Permission Bypass & Cross-User Data Disclosure