Lightspeed Classroom CVE-2026-30368 Unauthenticated Remote Device Control Vulnerability Analysis

Lightspeed Classroom CVE-2026-30368 Vulnerability Summary Vulnerability Overview CVE ID: CVE-2026-30368 Vulnerability Type: Weak authentication leading to unauthorized remote student device control Release Date: April 20, 2026 Core Issue: An attacker can remotely control a student’s device using only the target student’s email and the district customer ID, without requiring any credentials or physical access. Impact Scope Affected Product: Lightspeed Classroom browser extension (used by thousands of schools worldwide) Attack Conditions: - Attacker does not need to authenticate to the Lightspeed portal - No need to control district infrastructure - No modification of victim devices required - No Lightspeed-issued credentials needed Required Information: - Student email address - District customer ID Technical Details Authentication Process Flaws 1. Policy Retrieval: Obtain policy file containing JWT via POST request 2. JWT Generation: Use WebAssembly file to generate JWT, but a vulnerability allows interception 3. Ably Connection: Connect to Ably real-time communication service using forged JWT Key Vulnerability Points Defect in JWT generation process enables attackers to forge tokens Ably API key and key ID can be abused Client authentication mechanism is flawed, allowing unauthorized connections Remediation Measures 1. Strengthen JWT Validation: Ensure security of JWT generation and validation processes 2. Enhance API Key Management: Restrict usage scope and permissions of API keys 3. Improve Authentication Mechanism: Add multi-factor authentication or stricter identity verification 4. Update WebAssembly Code: Fix security vulnerabilities in WASM files POC Code Examples Policy Request Code JWT Payload Example Ably Connection Code Message Type Examples tabs message: closeTab message: focusTab message: ta message: url message: lock message: unlock message: No specific code example, but requires check

Goal Reached Thanks to every supporter — we hit 100%!

Lightspeed Classroom CVE-2026-30368 Unauthenticated Remote Device Control Vulnerability Analysis