Skip to main content

Openolat CVE-2026-31946

| EUVDEUVD-2026-17207 CRITICAL
Improper Authentication (CWE-287)
2026-03-30 GitHub_M
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:47 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
20.2.5
EUVD ID Assigned
Mar 30, 2026 - 21:00 euvd
EUVD-2026-17207
Analysis Generated
Mar 30, 2026 - 21:00 vuln.today
CVE Published
Mar 30, 2026 - 20:31 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.

AnalysisAI

Authentication bypass in OpenOlat e-learning platform versions 10.5.4 through 20.2.4 allows remote unauthenticated attackers to forge authentication tokens due to missing JWT signature verification in OpenID Connect implementation. The platform accepts JWTs without cryptographic validation, enabling attackers to impersonate any user by crafting tokens with arbitrary claims. CVSS 9.8 (Critical) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis, though the vulnerability is trivial to exploit given the complete absence of signature verification.

Technical ContextAI

OpenOlat (cpe:2.3:a:openolat:openolat) is an open-source learning management system implementing OpenID Connect for federated authentication. The vulnerability stems from improper authentication (CWE-287) in the OIDC implicit flow implementation. Specifically, the JSONWebToken.parse() method silently discards the signature component of compact JWTs (the third segment in header.payload.signature format), while getAccessToken() methods in OpenIdConnectApi and OpenIdConnectFullConfigurableApi classes validate only claim-level metadata fields like issuer, audience, state, and nonce without performing cryptographic signature verification against the Identity Provider's JSON Web Key Set endpoint. This fundamentally breaks the JWT trust model, which relies on asymmetric signature verification to ensure tokens originated from the legitimate IdP and have not been tampered with. Without JWKS validation, an attacker can craft arbitrary JWT payloads with valid-looking claims and the application will accept them as authentic.

RemediationAI

Upgrade immediately to OpenOlat version 20.2.5 or later, which implements proper JWT signature verification against Identity Provider JWKS endpoints. The vendor has patched this vulnerability in the 20.2.5 release by adding cryptographic signature validation to the authentication flow. Organizations should prioritize this upgrade as emergency maintenance given the critical severity and trivial exploitability. Review authentication logs for suspicious login patterns or unusual user sessions during the exposure window, particularly focusing on administrative account access and high-privilege user activity. After upgrading, verify that OpenID Connect authentication properly validates JWT signatures by testing with intentionally malformed tokens. No effective workarounds exist short of disabling OpenID Connect authentication entirely and reverting to alternative authentication mechanisms, which may not be operationally feasible for federated identity deployments. Consult the GitHub Security Advisory at https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-v8vp-x4q4-2vch for additional vendor guidance and technical details on the fix implementation.

Share

CVE-2026-31946 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy