OpenAEV Account Takeover: Critical Flaws in Password Reset

The National Vulnerability Database (NVD) has detailed CVE-2026-24467, a critical account takeover vulnerability affecting OpenAEV versions 1.0.0 through 2.0.12. OpenAEV, an open-source platform for cyber adversary simulation, contains multiple weaknesses in its password reset implementation that enable unauthenticated remote attackers to gain full access to any user account.

The primary flaw, according to NVD, is that password reset tokens never expire. Once generated, a token remains valid indefinitely, allowing attackers to accumulate and reuse them at will. Compounding this, tokens are only 8 digits long. While 100 million combinations might seem sufficient in isolation, the ability to generate a large volume of valid tokens drastically reduces the brute-force effort. NVD explains that generating just 2,000 valid tokens can cut the brute-force requirement to approximately 50,000 attempts, which is trivial for automated attacks.

Combined, these issues permit an attacker to mass-generate valid password reset tokens and then efficiently brute-force them to find a match. This allows resetting any user’s password without needing the original password or any prior authentication. Given that user email addresses are exposed by design within OpenAEV, even administrator accounts can be compromised. Successful exploitation leads to platform compromise, enabling access to sensitive data and modification of payloads executed by deployed agents, effectively changing the scope of simulations and potentially compromising all hosts where agents are installed. Users must upgrade to version 2.0.13 immediately.