CVE-2026-30368

Published: Apr 24, 2026Modified: Apr 27, 2026Deferred

5.4

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Exploitability: 2.2 / Impact: 2.7

Source: MITRE (Secondary)

Description

A client-side authorization flaw in Lightspeed Classroom v5.1.2.1763770643 allows unauthenticated attackers to impersonate users by bypassing integrity checks and abusing client-generated authorization tokens, leading to unauthorized control and monitoring of student devices.

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://tasty-hovercraft-9b9.notion.site/Enabling-Unauthorized-Remote-Control-of-Student-Devices-with-Lightspeed-Classroom-2ec5157f5b4a800c9eefc5526479820a

Source: cve@mitre.org

https://www.incognitotgt.me/blog/lightspeed

Source: cve@mitre.org

https://github.com/truekas/ls-poc

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

https://tasty-hovercraft-9b9.notion.site/Enabling-Unauthorized-Remote-Control-of-Student-Devices-with-Lightspeed-Classroom-2ec5157f5b4a800c9eefc5526479820a

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.