Executive Summary
CVE-2026-24467 describes a multi-step account takeover vulnerability in OpenAEV, an open-source platform for planning and executing cyber adversary simulation campaigns. The password reset implementation combines several individual weaknesses that, when chained together, allow an attacker to reliably take over any account without knowing the original password.
CVSS Score: 9.0 (High) Fixed in: OpenAEV v2.0.13
Vulnerability Overview
OpenAEV versions 1.0.0 through 2.0.12 contain flaws in the password reset flow that collectively enable account takeover. The vulnerability is not a single bug but a chain of weaknesses in how reset tokens are generated, validated, and expired.
Weakness Chain
| Step | Weakness | Impact |
|---|---|---|
| 1 | Predictable or insufficiently random reset tokens | Token enumeration or brute-force |
| 2 | No rate limiting on reset requests | Rapid token guessing without lockout |
| 3 | Tokens remain valid beyond expected expiry window | Extended attack window |
| 4 | Token validation does not bind to originating user session | Cross-account token misuse |
The combination of these weaknesses allows an attacker who can initiate a reset for a known email address to reliably takeover that account through automated token enumeration.
Impact
OpenAEV is used by security teams to run adversary simulation campaigns — meaning a compromised OpenAEV instance could expose:
- Planned and historical red team campaign data
- Target infrastructure details and credentials used in simulations
- Assessor and client contact information
- Scope documents and vulnerability findings
Account takeover of an OpenAEV admin would grant full access to all campaign data and the ability to modify or sabotage active simulations.
Affected Versions
| Version Range | Affected |
|---|---|
| 1.0.0 – 2.0.12 | Yes |
| 2.0.13+ | No (patched) |
Remediation
Immediate Action
Upgrade to OpenAEV v2.0.13, which addresses the password reset implementation.
# Pull the latest release
git pull origin main
git checkout v2.0.13
# Or update via your package manager / deployment methodAdditional Hardening
Even after upgrading, review your OpenAEV deployment for:
- Restrict access — OpenAEV should not be exposed to the public internet. Use VPN or allowlisted IP access only.
- Enable MFA — Where supported, enforce multi-factor authentication on all accounts.
- Review active sessions — Force logout all existing sessions after patching to invalidate any tokens that may have been captured.
- Audit access logs — Review for any unexpected password reset activity prior to patching.
# Check for suspicious reset activity in logs
grep "password_reset" /var/log/openaev/app.log | grep -v "your-team-ip"Detection
Signs of Exploitation
- Multiple password reset requests for a single email in a short time window
- Password reset completions not correlated with a valid user-initiated session
- Unexpected logins from unfamiliar IP addresses following reset events
- Changes to campaign scope or target data not attributed to known users
SIEM Query (Splunk)
index=openaev sourcetype=access_log
| where action="password_reset_complete"
| stats count, values(src_ip) as ips by user_email
| where count > 3 OR mvcount(ips) > 2
| sort - count