Skillable SCORM CVE-2026-56877
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
PR:L for required enrollment token; C:L and I:L added over the reporter's score to reflect vendor-confirmed session exposure and allocation integrity bypass.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2Description PRE-NVD
AnalysisAI
Skillable's hosted SCORM lab launch endpoint at scorm.skillable.com enforces per-user lab allocation limits against a client-supplied userId query parameter that is never validated against the authenticated SCORM session token, enabling any enrolled learner to bypass rate limits, provision concurrent cloud VM lab instances at the course provider's expense, and exhaust another enrolled user's lab or exam allocation to deny them access. The vulnerability (CWE-639) was confirmed against the reporter's own account and a consenting fellow student on 2026-05-03; the vendor subsequently acknowledged in a private customer advisory that exam allocations and another learner's active session details are also reachable via the same mechanism. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active SCORM launch token, issued only to learners authenticated within the LMS who have opened a lab unit - limiting the attacker population to enrolled students on Skillable SCORM-integrated courses. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-reported CVSS 3.1 score of 6.5 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects the confirmed cross-user denial-of-service impact but deliberately excludes confidentiality and integrity dimensions that the reporter could not independently verify. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An enrolled student uses an intercepting proxy to capture the SCORM lab launch URL, then replaces the userId query parameter with a fellow student's identifier - obtainable via the LMS learner enumeration endpoint. Submitting the modified request to scorm.skillable.com causes the server to validate the attacker's SCORM token (confirming enrollment) but deduct the launch against the victim's allocation; repeated requests silently exhaust the victim's per-user limit, and the victim is subsequently denied access to the lab or exam. … |
| Remediation | No server-side patch exists and the vendor has confirmed none is planned for the SCORM launch path. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: List all courses and institutions using Skillable SCORM; assess current lab and exam allocation inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today