Skip to main content

Openedx Platform EUVDEUVD-2026-18502

| CVE-2026-34736 MEDIUM
Improper Authentication (CWE-287)
2026-04-02 GitHub_M
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 02, 2026 - 19:01 euvd
EUVD-2026-18502
Analysis Generated
Apr 02, 2026 - 19:01 vuln.today
CVE Published
Apr 02, 2026 - 18:29 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exposed in the REST API response at /api/user/v1/accounts/. This issue has been patched in the ulmo release.

AnalysisAI

Open edX Platform from maple release through ulmo allows unauthenticated attackers to bypass email verification by exploiting an OAuth2 password grant that issues tokens to inactive users combined with exposure of activation keys in the REST API response at /api/user/v1/accounts/. This authentication bypass enables account takeover and unauthorized access to learning platforms. The vulnerability affects all deployments from maple to before ulmo release and has been patched in the ulmo release.

Technical ContextAI

The vulnerability stems from a combination of two authentication logic flaws in Open edX's OAuth2 and user account management systems. First, the OAuth2 password grant endpoint issues valid authentication tokens to inactive (unverified) user accounts, contrary to expected security practices. Second, the /api/user/v1/accounts/ REST API endpoint returns sensitive activation_key values in response bodies, which are normally used to verify email ownership during account creation. Under CWE-287 (Improper Authentication), these design flaws allow an attacker to obtain a valid bearer token for an unactivated account and then retrieve the activation key from the API itself, effectively circumventing the email verification requirement entirely. The affected product is Open edX Platform (CPE: cpe:2.3:a:openedx:openedx-platform), a widely deployed open-source learning management and course authoring system used by universities and corporate training organizations.

RemediationAI

Vendor-released patch: Upgrade to Open edX Platform ulmo release or later. Organizations unable to upgrade immediately should restrict public access to the /api/user/v1/accounts/ endpoint by implementing network-level access controls or modifying API authorization policies to prevent unauthenticated read access to activation_key fields. Additionally, review OAuth2 password grant configuration to ensure tokens are not issued to inactive accounts; this may require custom backend logic depending on your Open edX deployment. Apply the upstream fix referenced in commit ad342ae16e6af0b46460ca05f47697ac755feba8 (https://github.com/openedx/openedx-platform/commit/ad342ae16e6af0b46460ca05f47697ac755feba8) if patching at the source level before ulmo release is available. Consult the security advisory at https://github.com/openedx/openedx-platform/security/advisories/GHSA-m6rg-rp98-4crw for environment-specific remediation guidance.

Share

EUVD-2026-18502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy