OpenLearnX CVE-2026-44720
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Overview
A critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. The issue has been fixed.
Advisory: https://github.com/th30d4y/OpenLearnX/security/advisories/GHSA-223g-f5mq-gw33
AnalysisAI
OpenLearnX versions prior to 2.0.4 contain a critical authentication bypass vulnerability caused by disabled JWT signature verification, enabling unauthenticated attackers to gain unauthorized access to user accounts. The vulnerability has been patched in version 2.0.4. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
OpenLearnX is a Node.js/npm-based learning management application that relies on JWT (JSON Web Tokens) for authentication. The vulnerability stems from improper implementation of JWT validation in the backend authentication layer, specifically a failure to verify JWT signatures before accepting tokens. This maps to CWE-287 (Improper Authentication), a root cause class covering authentication bypass flaws. The affected package is npm/openlearnx, distributed via npm registry. When JWT signature verification is disabled or not enforced, attackers can craft or modify tokens without knowledge of the signing secret, completely circumventing the authentication mechanism.
RemediationAI
Immediately upgrade OpenLearnX to version 2.0.4 or later, which contains the authentication bug fix. Users should execute 'npm update openlearnx@2.0.4' or update their package.json dependency to '^2.0.4' and run 'npm install'. No workarounds are documented for earlier versions. The patch addresses the JWT signature verification flaw in backend core services. After upgrading, restart the application to apply the fix. Verify the upgrade by checking package-lock.json or running 'npm list openlearnx' to confirm version 2.0.4 is installed. See release notes at https://github.com/th30d4y/OpenLearnX/releases/tag/v2.0.4.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-223g-f5mq-gw33