CVE-2025-67259

· NIST NVD ↗

A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata.

MEDIUM
CVSS severity
6.5
CVSS base score
2026-04-24
Published

CWE codes

CWE-284CWE-285

Sources