Skip to main content

OpenLearnX CVE-2026-44720

MEDIUM
Improper Authentication (CWE-287)
2026-05-13 https://github.com/th30d4y/OpenLearnX GHSA-223g-f5mq-gw33
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 27, 2026 - 22:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
May 13, 2026 - 02:31 vuln.today
Analysis Generated
May 13, 2026 - 02:31 vuln.today
CVE Published
May 13, 2026 - 01:39 nvd
MEDIUM

DescriptionGitHub Advisory

Overview

A critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. The issue has been fixed.

Advisory: https://github.com/th30d4y/OpenLearnX/security/advisories/GHSA-223g-f5mq-gw33

AnalysisAI

OpenLearnX versions prior to 2.0.4 contain a critical authentication bypass vulnerability caused by disabled JWT signature verification, enabling unauthenticated attackers to gain unauthorized access to user accounts. The vulnerability has been patched in version 2.0.4. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

OpenLearnX is a Node.js/npm-based learning management application that relies on JWT (JSON Web Tokens) for authentication. The vulnerability stems from improper implementation of JWT validation in the backend authentication layer, specifically a failure to verify JWT signatures before accepting tokens. This maps to CWE-287 (Improper Authentication), a root cause class covering authentication bypass flaws. The affected package is npm/openlearnx, distributed via npm registry. When JWT signature verification is disabled or not enforced, attackers can craft or modify tokens without knowledge of the signing secret, completely circumventing the authentication mechanism.

RemediationAI

Immediately upgrade OpenLearnX to version 2.0.4 or later, which contains the authentication bug fix. Users should execute 'npm update openlearnx@2.0.4' or update their package.json dependency to '^2.0.4' and run 'npm install'. No workarounds are documented for earlier versions. The patch addresses the JWT signature verification flaw in backend core services. After upgrading, restart the application to apply the fix. Verify the upgrade by checking package-lock.json or running 'npm list openlearnx' to confirm version 2.0.4 is installed. See release notes at https://github.com/th30d4y/OpenLearnX/releases/tag/v2.0.4.

Share

CVE-2026-44720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy