Skip to main content

Open edX Platform CVE-2026-42858

| EUVDEUVD-2026-29166 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-11 GitHub_M
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
May 11, 2026 - 19:02 EUVD
Source Code Evidence Fetched
May 11, 2026 - 18:46 vuln.today
Analysis Generated
May 11, 2026 - 18:46 vuln.today
CVE Published
May 11, 2026 - 17:30 nvd
HIGH 8.5

DescriptionGitHub Advisory

Open edX Platform enables the authoring and delivery of online learning at any scale. The sync_provider_data endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL via the metadata_url POST parameter. This URL is passed directly to requests.get() in fetch_metadata_xml() without any URL validation, IP filtering, or scheme enforcement. An attacker with Enterprise Admin privileges can force the server to make HTTP requests to internal network services, cloud metadata endpoints (e.g., AWS 169.254.169.254), or other attacker-controlled destinations. This vulnerability is fixed by commit 6fda1f120ff5a590d120ae1180185525f399c6d0 and 70a56246dd9c9df57c596e64bdd8a11b1d9da054.

AnalysisAI

Server-side request forgery (SSRF) in Open edX Platform allows authenticated Enterprise Admin users to force the application server to make HTTP requests to arbitrary internal network resources, cloud metadata endpoints (AWS 169.254.169.254), or external attacker-controlled hosts via the sync_provider_data SAML configuration endpoint. The unvalidated metadata_url parameter is passed directly to requests.get() without IP filtering or URL scheme enforcement, enabling internal network reconnaissance, credential theft from cloud metadata services, and potential lateral movement. Fixed in commits 6fda1f120ff and 70a56246dd9. EPSS data not available; no confirmed active exploitation at time of analysis.

Technical ContextAI

Open edX Platform is an open-source learning management system (LMS) used by educational institutions and enterprises for online course delivery. The vulnerability exists in the SAMLProviderDataViewSet's sync_provider_data endpoint, which accepts a metadata_url parameter to fetch SAML identity provider metadata. The fetch_metadata_xml() function uses Python's requests library to retrieve XML from the supplied URL without validating the destination. This implements CWE-918 (Server-Side Request Forgery), a critical web application security flaw where user-supplied URLs are processed server-side without proper validation. SSRF vulnerabilities are particularly dangerous in cloud environments where metadata endpoints (AWS 169.254.169.254, GCP metadata.google.internal, Azure 169.254.169.254) expose instance credentials, API keys, and configuration data. The CVSS vector S:C (Scope Changed) indicates the vulnerability can impact resources beyond the vulnerable component's authorization scope, consistent with SSRF attacks that breach trust boundaries between the web application and internal network segments. The fix introduces a SAML_METADATA_URL_ALLOW_PRIVATE_IPS toggle (default: False) to block requests to RFC 1918 private IP ranges, loopback addresses, and link-local addresses, though the commit diff shows this is configuration-based defense rather than mandatory enforcement.

RemediationAI

Apply patches by upgrading to Open edX Platform versions containing commits 6fda1f120ff5a590d120ae1180185525f399c6d0 and 70a56246dd9c9df57c596e64bdd8a11b1d9da054 or later from the upstream repository at https://github.com/openedx/openedx-platform. After patching, review the SAML_METADATA_URL_ALLOW_PRIVATE_IPS setting in openedx/envs/common.py - the fix introduces this toggle with a secure default (False) that blocks private IP ranges, but operators must verify it remains disabled in production configurations. For deployments unable to immediately patch, implement network-level controls: configure egress firewall rules to block outbound HTTP/HTTPS from the Open edX application server to RFC 1918 private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), link-local (169.254.0.0/16), and cloud metadata endpoints (169.254.169.254/32). This mitigation breaks legitimate SAML metadata retrieval from internal identity providers, requiring manual metadata file uploads instead of URL-based sync. Alternatively, restrict Enterprise Admin role assignment to only highly trusted users and audit existing role grants via Django admin - this reduces attack surface but does not eliminate risk if any Enterprise Admin account is compromised. Monitor application logs for sync_provider_data POST requests with suspicious metadata_url values (internal IPs, localhost, cloud metadata URIs) as indicators of exploitation attempts. Full advisory and patch details at https://github.com/openedx/openedx-platform/security/advisories/GHSA-328g-7h4g-r2m9.

Share

CVE-2026-42858 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy