CVE-2026-10167: School Student Management System Cookie Auth Bypass

Executive Summary

A high-severity authentication bypass vulnerability (CVE-2026-10167) has been disclosed in the OUSL-GROUP BrinaryBrains School Student Management System, a PHP-based academic management platform. The flaw resides in the sign_auth_cookie function within application/controllers/Login.php, part of the MY_Controller component. Manipulation of the cookie argument can allow an attacker to bypass authentication controls.

CVSS Score: 7.3 (High)

The vulnerability was published to the NVD on May 31, 2026 and affects all versions up to commit 1e70e5ad1125b86dca4ee086eb6bb121f17708b6.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-10167
CVSS Score	7.3 (High)
Type	Improper Authentication / Cookie Manipulation
Affected Component	`MY_Controller` → `sign_auth_cookie()`
Affected File	`application/controllers/Login.php`
Attack Vector	Network
Published	2026-05-31
Source	NVD / OUSL-GROUP BrinaryBrains

Affected Products

Product	Affected Versions	Status
BrinaryBrains School Student Management System	Up to commit `1e70e5ad`	Vulnerable

This is a PHP CodeIgniter-based school management application used to manage student records, academic scheduling, and administrative operations for educational institutions.

Technical Details

What Is the Vulnerability?

The vulnerability lies in the sign_auth_cookie function within the MY_Controller base controller. Authentication cookie signing in PHP applications commonly involves generating a cryptographic signature or HMAC over user-supplied session data. If the signing logic is weak — for example, relying on predictable values, failing to properly validate the cookie contents, or using insecure comparison methods — an attacker can forge or manipulate cookies to impersonate authenticated users, including administrators.

Attack Vector

1. Attacker observes or intercepts a legitimate authentication cookie
2. Crafts a manipulated cookie value exploiting the flawed sign_auth_cookie logic
3. Submits the crafted cookie to the application
4. Server-side validation accepts the forged cookie
5. Attacker gains unauthorized access as the impersonated user
6. Potential for full administrative access depending on target user role

Cookie-based authentication bypass vulnerabilities in school management systems are particularly dangerous because:

Student and staff PII (names, contact details, grades, health information) is accessible
Administrative accounts can modify records, grades, and enrollment data
Many school management systems run on shared hosting with minimal security hardening
Academic institutions often have delayed patch cycles

Impact Assessment

Impact Area	Description
Authentication Bypass	Unauthorized access to protected application areas
Privilege Escalation	Potential access to admin-level functionality
Data Exposure	Student PII, academic records, staff information
Data Manipulation	Unauthorized modification of grades or enrollment records
Lateral Movement	Access to connected systems if credentials are reused

Recommendations

Immediate Actions

Audit the sign_auth_cookie function in application/controllers/Login.php — replace any weak signing logic with HMAC-SHA256 using a strong secret key
Rotate all session secrets and force re-authentication for all active sessions
Apply the latest patch or update from the OUSL-GROUP BrinaryBrains repository once released
Invalidate existing cookies to ensure forged sessions are terminated

Hardening Measures

- Use PHP's built-in session handling with HttpOnly and Secure cookie flags
- Implement constant-time comparison (hash_equals()) for cookie validation
- Add rate limiting and anomaly detection on login endpoints
- Enable logging for all authentication events
- Conduct a full code audit of MY_Controller and related auth logic

If Running This Software

Verify your commit — check if you are running a version beyond commit 1e70e5ad1125b86dca4ee086eb6bb121f17708b6
Monitor access logs for unexpected authenticated sessions
Restrict access to the admin panel by IP if possible
Consider a WAF rule to block suspicious cookie manipulation attempts

Detection Indicators

Indicator	Description
Abnormal session patterns	Authenticated sessions without a corresponding login event
Cookie anomalies	Malformed or unexpected cookie signatures in access logs
Unexpected admin activity	Administrative actions performed outside normal hours or from unusual IPs
Failed auth followed by success	Brute-force or trial-and-error cookie manipulation

References

Executive Summary

CVSS Score: 7.3 (High)

The vulnerability was published to the NVD on May 31, 2026 and affects all versions up to commit 1e70e5ad1125b86dca4ee086eb6bb121f17708b6.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-10167
CVSS Score	7.3 (High)
Type	Improper Authentication / Cookie Manipulation
Affected Component	`MY_Controller` → `sign_auth_cookie()`
Affected File	`application/controllers/Login.php`
Attack Vector	Network
Published	2026-05-31
Source	NVD / OUSL-GROUP BrinaryBrains

Affected Products

Product	Affected Versions	Status
BrinaryBrains School Student Management System	Up to commit `1e70e5ad`	Vulnerable

This is a PHP CodeIgniter-based school management application used to manage student records, academic scheduling, and administrative operations for educational institutions.

Technical Details

What Is the Vulnerability?

Attack Vector

1. Attacker observes or intercepts a legitimate authentication cookie
2. Crafts a manipulated cookie value exploiting the flawed sign_auth_cookie logic
3. Submits the crafted cookie to the application
4. Server-side validation accepts the forged cookie
5. Attacker gains unauthorized access as the impersonated user
6. Potential for full administrative access depending on target user role

Cookie-based authentication bypass vulnerabilities in school management systems are particularly dangerous because:

Student and staff PII (names, contact details, grades, health information) is accessible
Administrative accounts can modify records, grades, and enrollment data
Many school management systems run on shared hosting with minimal security hardening
Academic institutions often have delayed patch cycles

Impact Assessment

Impact Area	Description
Authentication Bypass	Unauthorized access to protected application areas
Privilege Escalation	Potential access to admin-level functionality
Data Exposure	Student PII, academic records, staff information
Data Manipulation	Unauthorized modification of grades or enrollment records
Lateral Movement	Access to connected systems if credentials are reused

Recommendations

Immediate Actions

Audit the sign_auth_cookie function in application/controllers/Login.php — replace any weak signing logic with HMAC-SHA256 using a strong secret key
Rotate all session secrets and force re-authentication for all active sessions
Apply the latest patch or update from the OUSL-GROUP BrinaryBrains repository once released
Invalidate existing cookies to ensure forged sessions are terminated

Hardening Measures

- Use PHP's built-in session handling with HttpOnly and Secure cookie flags
- Implement constant-time comparison (hash_equals()) for cookie validation
- Add rate limiting and anomaly detection on login endpoints
- Enable logging for all authentication events
- Conduct a full code audit of MY_Controller and related auth logic

If Running This Software

Verify your commit — check if you are running a version beyond commit 1e70e5ad1125b86dca4ee086eb6bb121f17708b6
Monitor access logs for unexpected authenticated sessions
Restrict access to the admin panel by IP if possible
Consider a WAF rule to block suspicious cookie manipulation attempts

Detection Indicators

Indicator	Description
Abnormal session patterns	Authenticated sessions without a corresponding login event
Cookie anomalies	Malformed or unexpected cookie signatures in access logs
Unexpected admin activity	Administrative actions performed outside normal hours or from unusual IPs
Failed auth followed by success	Brute-force or trial-and-error cookie manipulation

CVE-2026-10167: School Student Management System Cookie Auth Bypass

Affected Products

Executive Summary

Vulnerability Overview

Affected Products

Technical Details

What Is the Vulnerability?

Attack Vector

Impact Assessment

Recommendations

Immediate Actions

Hardening Measures

If Running This Software

Detection Indicators

References

CVE-2026-10236: Improper Authorization in SourceCodester Water Billing Management System

CVE-2026-8293: Really Simple Security WordPress Plugin 2FA Authentication Bypass

CVE-2026-10110: SQL Injection in Student Details Management System 1.0

CVE-2026-10167: School Student Management System Cookie Auth Bypass

Affected Products

Executive Summary

Vulnerability Overview

Affected Products

Technical Details

What Is the Vulnerability?

Attack Vector

Impact Assessment

Recommendations

Immediate Actions

Hardening Measures

If Running This Software

Detection Indicators

References

CVE-2026-10236: Improper Authorization in SourceCodester Water Billing Management System

CVE-2026-8293: Really Simple Security WordPress Plugin 2FA Authentication Bypass

CVE-2026-10110: SQL Injection in Student Details Management System 1.0

Affected Products

Executive Summary

Vulnerability Overview

Affected Products

Technical Details

What Is the Vulnerability?

Attack Vector

Why PHP Cookie Auth Bugs Are High-Risk

Impact Assessment

Recommendations

Immediate Actions

Hardening Measures

If Running This Software

Detection Indicators

References

Affected Products

Executive Summary

Vulnerability Overview

Affected Products

Technical Details

What Is the Vulnerability?

Attack Vector

Why PHP Cookie Auth Bugs Are High-Risk

Impact Assessment

Recommendations

Immediate Actions

Hardening Measures

If Running This Software

Detection Indicators

References