CVE-2026-10167 OUSL-GROUP-BrinaryBrains CVE debrief

Who should care

Organizations using OUSL-GROUP-BrinaryBrains School Student Management System; security teams monitoring PHP-based student information systems; developers responsible for authentication and authorization in CodeIgniter-based applications

Technical summary

The `sign_auth_cookie` function in `application/controllers/Login.php` fails to properly validate or enforce the `role` parameter, allowing remote attackers to manipulate authentication cookies and gain unauthorized access. The vulnerability is exploitable without authentication and has a publicly available exploit.

Defensive priority

medium

Recommended defensive actions

• Review and restrict role parameter handling in the sign_auth_cookie function within application/controllers/Login.php
• Implement server-side validation and authorization checks independent of client-supplied role values
• Apply principle of least privilege to authentication cookies and session management
• Monitor for unauthorized authentication attempts or privilege escalation in application logs
• Consider implementing additional authentication factors or session binding to reduce impact of cookie manipulation
• If using this product, apply any future updates from the vendor promptly given the rolling release model

Evidence notes

The vulnerability was reported through a GitHub issue and documented by Vuldb. The CVSS 4.0 vector indicates network attack vector with low complexity, no privileges required, and low impacts to confidentiality, integrity, and availability. The exploit is confirmed to exist per the CVSS exploit metric (E:P).

Official resources