EUVD-2026-18502

| CVE-2026-34736 MEDIUM
2026-04-02 GitHub_M
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 02, 2026 - 19:01 vuln.today
EUVD ID Assigned
Apr 02, 2026 - 19:01 euvd
EUVD-2026-18502
CVE Published
Apr 02, 2026 - 18:29 nvd
MEDIUM 5.3

Tags

Authentication Bypass

Description

Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exposed in the REST API response at /api/user/v1/accounts/. This issue has been patched in the ulmo release.

Analysis

Open edX Platform from maple release through ulmo allows unauthenticated attackers to bypass email verification by exploiting an OAuth2 password grant that issues tokens to inactive users combined with exposure of activation keys in the REST API response at /api/user/v1/accounts/. This authentication bypass enables account takeover and unauthorized access to learning platforms. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

EUVD-2026-18502 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy