Autolab Has Misconfigured Reset Password Permissions
Description
Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Autolab 3.0.0 misconfigures reset-password permissions, letting low-privilege users change passwords of privileged accounts.
Vulnerability
Autolab version 3.0.0 contains a misconfiguration in its password-reset permissions for email-based accounts [1]. The flaw lies in the UsersController, where the change_password_for_user and update_password_for_user actions lacked proper authorization checks. The skip_before_action :authenticate_for_action was applied without an exception list, allowing insufficiently privileged users to call these endpoints [3]. The fix in commit 301689a narrows the skip to only lti_launch_link_course and adds an explicit action_auth_level :update_password_for_user, :administrator [3].
Exploitation
An attacker with a low-privilege email-based account could invoke the password-change endpoints directly by crafting HTTP requests [4]. No additional authentication bypass is required beyond having a valid account; the controller failed to enforce administrator-level restrictions on these actions [3]. This means any authenticated user could attempt to reset the password of any other user, including instructors or administrators.
Impact
Successful exploitation would allow the attacker to take over a privileged user's account, potentially gaining access to all course management features, including gradebooks, assignment settings, and other students' submissions [2]. The advisory marks this as a high-severity privilege escalation vulnerability [4].
Mitigation
The vulnerability is fixed in Autolab version 3.0.1 [1]. No workarounds are available; upgrading to the patched version is the only remedy [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
AutolabRubyGems | >= 3.0.0, < 3.0.1 | 3.0.1 |
Affected products
3Patches
11 file changed · +4 −1
app/controllers/users_controller.rb+4 −1 modified@@ -1,7 +1,9 @@ class UsersController < ApplicationController skip_before_action :set_course skip_before_action :authorize_user_for_course - skip_before_action :authenticate_for_action + skip_before_action :authenticate_for_action, + except: [:change_password_for_user, :update_password_for_user, + :lti_launch_link_course] skip_before_action :update_persistent_announcements before_action :set_gh_oauth_client, only: [:github_oauth, :github_oauth_callback] before_action :set_user, @@ -416,6 +418,7 @@ def change_password_for_user redirect_to(user_path) end + action_auth_level :update_password_for_user, :administrator def update_password_for_user @user = User.find_by(id: params[:id]) return if params[:user].nil? || params[:user].is_a?(String) || @user.nil?
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-v46j-h43h-rwrmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-49376ghsaADVISORY
- github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9bghsax_refsource_MISCWEB
- github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.