EUVD-2026-19786CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassword(userId, password) and deleteUser(userId) in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute both actions, while real admins were rejected. This is a direct privilege-escalation issue in the application.
Analysis
Privilege escalation in PolarLearn account-management module allows authenticated non-admin users to arbitrarily reset passwords and delete user accounts due to an inverted admin permission check in versions 0-PRERELEASE-14 and earlier. The inverted logic in setCustomPassword() and deleteUser() functions grants administrative capabilities to regular users while blocking legitimate administrators. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all PolarLearn deployments and document current version numbers; restrict account-management module access to administrators only via network controls or application-level access lists pending patch availability. Within 7 days: Contact PolarLearn vendor for patch availability timeline and interim build; implement monitoring for setCustomPassword() and deleteUser() function calls from non-admin accounts. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today