Medium severity6.5NVD Advisory· Published Apr 24, 2026· Updated Apr 24, 2026

CVE-2025-67259

Description

A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata.

Affected products

Classroomio/Classroomioreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

drive.google.com/file/d/1G_IjEURNBcaSmBo4FdOo_27q-4H9MV34/viewnvd
github.com/classroomio/classroomio/issues/642nvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000