CVE-2026-24468

Name of the Vulnerable Software and Affected Versions OpenAEV versions 1.11.0 through 2.0.12

Description OpenAEV is an open source platform for planning, scheduling, and conducting cyber adversary simulation campaigns and tests. The '/api/reset' endpoint exhibits inconsistent behavior based on whether the provided username exists in the system. When a non-existent email is submitted via the login parameter, the server returns an HTTP 400 response, whereas a valid email triggers an HTTP 200 response. This discrepancy allows an unauthenticated attacker to perform account enumeration by automating requests to identify registered email addresses.

Recommendations Update to version 2.0.13.