CVE-2026-24467

Name of the Vulnerable Software and Affected Versions OpenAEV versions 1.0.0 through 2.0.12

Description The password reset implementation contains security weaknesses that allow for reliable account takeover. Password reset tokens do not expire and remain valid indefinitely, even after new tokens are issued. Additionally, these tokens are only 8 digits long. An unauthenticated remote attacker can mass-generate valid tokens and use brute-force methods to guess a valid token, enabling them to reset any registered user's password without knowing the original password or requiring a configured email service. This can lead to full platform compromise, allowing access to sensitive data and the ability to modify payloads executed by deployed agents to compromise hosts.

Recommendations Upgrade to version 2.0.13.