Skip to content
Threat Feed
high threat exploited

CVE-2026-10167 Improper Authentication in OUSL-GROUP-BrinaryBrains School Student Management System

CVE-2026-10167 is an improper authentication vulnerability in OUSL-GROUP-BrinaryBrains School Student Management System allowing a remote attacker to manipulate the 'role' argument to bypass authentication.

CVE-2026-10167 identifies an improper authentication vulnerability within the OUSL-GROUP-BrinaryBrains School Student Management System, affecting versions up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. This vulnerability resides in the sign_auth_cookie function of the application/controllers/Login.php file, specifically within the MY_Controller component. A remote attacker can exploit this flaw by manipulating the role argument, leading to unauthorized access. The exploit is publicly available, increasing the risk of active exploitation. The vendor employs rolling releases, making specific affected versions difficult to pinpoint. The project has been notified of the vulnerability but has yet to respond.

Attack Chain

  1. Attacker identifies the sign_auth_cookie function within application/controllers/Login.php.
  2. Attacker crafts a malicious HTTP request targeting the vulnerable function.
  3. The HTTP request includes a manipulated role argument designed to bypass authentication checks.
  4. The server-side application processes the crafted request without proper validation of the role parameter.
  5. The application’s authentication logic incorrectly grants access based on the attacker-supplied role.
  6. The attacker gains unauthorized access to the system with elevated privileges.
  7. Attacker performs actions they are not authorized to do.
  8. Attacker potentially exfiltrates sensitive student data or modifies system settings.

Impact

Successful exploitation of CVE-2026-10167 allows unauthorized remote attackers to bypass authentication and gain elevated privileges within the OUSL-GROUP-BrinaryBrains School Student Management System. This can lead to sensitive data breaches, modification of student records, and disruption of school operations. The lack of a vendor response increases the urgency for defenders to implement mitigating controls. Given the public availability of the exploit, attacks are likely to occur.

Recommendation

  • Monitor web server logs for requests targeting application/controllers/Login.php with suspicious manipulation of the role parameter. Deploy the Sigma rule Detect Suspicious Role Parameter Manipulation to identify potential exploitation attempts.
  • Implement input validation and sanitization on the role parameter within the sign_auth_cookie function to prevent malicious manipulation.
  • Apply rate limiting to the authentication endpoint to mitigate brute-force attempts to exploit the vulnerability.
  • Consider deploying a web application firewall (WAF) rule to block requests that match the exploit pattern.

Detection coverage 2

Detect Suspicious Role Parameter Manipulation

high

Detects CVE-2026-10167 exploitation — Manipulation of the 'role' parameter in the Login.php

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect Access to Login.php After Role Manipulation

medium

Detects access to sensitive resources after potential CVE-2026-10167 exploitation via Login.php

sigma tactics: persistence techniques: T1547.001 sources: webserver

Detection queries are available on the platform. Get full rules →