CVE-2026-10167
Description
An authentication bypass vulnerability in OUSL-GROUP-BrinaryBrains School Student Management System up to commit 1e70e5ad allows attackers to forge valid session cookies due to a hardcoded encryption key.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authentication bypass vulnerability in OUSL-GROUP-BrinaryBrains School Student Management System up to commit 1e70e5ad allows attackers to forge valid session cookies due to a hardcoded encryption key.
# CVE-2026-10167
Vulnerability
The Login.php controller in the affected School Student Management System (up to commit 1e70e5ad1125b86dca4ee086eb6bb121f17708b6) implements an automatic session restoration feature via the school_auth cookie. The function sign_auth_cookie() in MY_Controller.php creates an HMAC-SHA256 signature using a hardcoded encryption key ('Signetbd' defined in config.php line 308). Because the key is static and known, an attacker can forge a valid cookie for any role (e.g., admin, teacher) and any user ID [1]. The product uses rolling releases, so no specific version numbers are available.
Exploitation
An attacker with network access to the application can forge a school_auth cookie offline. For example, to impersonate an administrator with user ID 0, they compute the HMAC-SHA256 signature of admin:0 using the known key 'Signetbd' to obtain 1d5bd8e459bf76eeced8d45f71eedc102e4c155545a6212ab2fab60e675f67b0. They then craft a cookie school_auth=admin:0:1d5bd8e459bf76eeced8d45f71eedc102e4c155545a6212ab2fab60e675f67b0. Sending a request to any protected endpoint with this cookie (and without an existing server-side session) causes restore_auth_session_from_cookie() to validate the signature and populate the session variables, logging the attacker in as the chosen user [1]. No authentication or user interaction is required.
Impact
Successful exploitation allows an attacker to gain authenticated access as any user, including administrative roles. This leads to privilege escalation, full compromise of the application's data and functionality, and potential exposure of sensitive student records and system settings [1]. The CVSS v3 score is 7.3 (High), reflecting the ease of remote exploitation without special privileges.
Mitigation
No official fix has been released as of the CVE publication date (2026-05-31). The project maintainer was informed via a GitHub issue [1] but has not responded. Users of this rolling-release product are advised to disable the automatic session restoration feature if possible, or to implement a proper secret key management mechanism. The vulnerability is publicly documented and could be used in attacks; no workaround is provided by the vendor.
AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 1e70e5ad1125b86dca4ee086eb6bb121f17708b6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Hardcoded static encryption key in `application/config/config.php` allows offline forgery of the `school_auth` cookie's HMAC signature, enabling authentication bypass."
Attack vector
An attacker with network access to any protected endpoint can forge a `school_auth` cookie offline because the HMAC signing key (`Signetbd`) is hardcoded and publicly known [ref_id=1]. The attacker chooses a role (e.g., `admin`) and user ID (e.g., `0`), computes `HMAC-SHA256(strtolower(role) . ':' . (int)user_id, "Signetbd")`, and crafts a cookie in the format `role:user_id:signature`. Sending this cookie with any request to the application causes `restore_auth_session_from_cookie()` to validate the signature and populate the session, granting the attacker the privileges of the chosen role without any password [ref_id=1].
Affected code
The vulnerability resides in `application/core/MY_Controller.php` (lines 20–37, 46–80, 121–123) and `application/controllers/Login.php` (lines 81–86). The `sign_auth_cookie()` method in `MY_Controller` generates an HMAC-SHA256 signature using a hardcoded encryption key from `application/config/config.php` (line 308). The `restore_auth_session_from_cookie()` method then validates and populates the session from the forged cookie without any additional authentication [ref_id=1].
What the fix does
No patch has been published by the vendor. The project was informed via an issue report but has not responded [ref_id=1]. The advisory recommends replacing the hardcoded static encryption key with a securely generated, per-installation key stored outside the codebase, and ideally implementing additional server-side session validation (e.g., binding the cookie to the client's IP or user-agent) to prevent offline forgery [ref_id=1].
Preconditions
- authNo authentication required; the attacker can be unauthenticated and remote.
- inputThe attacker must know the hardcoded encryption key 'Signetbd' (publicly disclosed in the config file).
- networkThe attacker must be able to send HTTP requests to any protected endpoint of the application.
Reproduction
1. Choose a role and user ID (e.g., `admin` and `0`). 2. Compute the HMAC-SHA256 signature: `hash_hmac('sha256', 'admin:0', 'Signetbd')` yields `1d5bd8e459bf76eeced8d45f71eedc102e4c155545a6212ab2fab60e675f67b0`. 3. Craft the cookie: `school_auth=admin:0:1d5bd8e459bf76eeced8d45f71eedc102e4c155545a6212ab2fab60e675f67b0`. 4. Send a request to any protected endpoint (e.g., `GET /index.php?admin/dashboard`) with that cookie. 5. The server responds with a new `ci_session` cookie and admin-only content, confirming successful authentication bypass [ref_id=1].
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.