Description

A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata.

INFO

Published Date :

2026-04-24T00:00:00.000Z

Last Modified :

2026-04-24T17:58:28.632Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-67259 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-67259.

URL Resource
https://drive.google.com/file/d/1G_IjEURNBcaSmBo4FdOo_27q-4H9MV34/view?usp=drive_link cve-icon cve-icon
https://github.com/classroomio/classroomio/issues/642 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System