Plattform
other
Komponente
openolat
Behoben in
10.5.5
CVE-2026-31946 represents a critical Authentication Bypass vulnerability affecting OpenOLAT e-learning platforms. This flaw allows attackers to circumvent authentication mechanisms by exploiting weaknesses in the OpenID Connect implicit flow's JWT signature verification process. The vulnerability impacts versions 10.5.4 up to, but not including, 20.2.5, and a fix is available in version 20.2.5.
The impact of this vulnerability is severe. An attacker can exploit it to gain unauthorized access to OpenOLAT instances without valid credentials. This could lead to data breaches, modification of course content, unauthorized user creation, and potentially complete control over the platform. The lack of JWT signature verification means that attackers can forge tokens, impersonate legitimate users, and escalate privileges. This vulnerability shares similarities with other JWT-related bypasses where signature validation is insufficient, potentially allowing for widespread compromise of the e-learning environment.
CVE-2026-31946 was publicly disclosed on 2026-03-30. The CVSS score of 9.8 (CRITICAL) reflects the high severity and ease of exploitation. No public proof-of-concept (POC) code has been released as of this writing, but the vulnerability's nature suggests that a POC is likely to emerge. It is not currently listed on CISA KEV, but its critical severity warrants monitoring.
Educational institutions and organizations using OpenOLAT for online learning are at significant risk. Specifically, those relying on OpenID Connect for authentication and using versions between 10.5.4 and 20.2.4 are particularly vulnerable. Shared hosting environments where OpenOLAT instances are deployed alongside other applications could also be affected if proper isolation is not in place.
• linux / server: Monitor OpenOLAT logs for JWT requests lacking a signature or with invalid claims. Use journalctl -u openolat to filter for relevant log entries.
journalctl -u openolat | grep -i "JWT signature" -i "invalid claim"• generic web: Use curl to test OpenID Connect endpoints with crafted JWTs lacking signatures to see if they are accepted.
curl -H "Authorization: Bearer <malformed_jwt>" <openid_connect_endpoint>• database (mysql): If OpenOLAT stores JWTs in the database (check configuration), query the relevant tables for JWTs without a signature field or with suspicious claim values. (Specific query depends on OpenOLAT's database schema).
disclosure
Exploit-Status
EPSS
0.03% (7% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade OpenOLAT to version 20.2.5 or later, which includes the necessary signature verification fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests with malformed or unsigned JWTs. Carefully review OpenID Connect configurations to ensure proper signature validation is enforced. Monitor OpenOLAT logs for suspicious JWT activity, specifically looking for tokens without signatures or with unexpected claims. After upgrading, confirm the fix by attempting to authenticate with a forged JWT to verify that signature validation is now enforced.
Aktualisieren Sie OpenOLAT auf Version 20.2.5 oder höher. Diese Version behebt die Authentifizierungsumgehung, indem sie JWT-Signaturen im OIDC-impliziten Ablauf korrekt überprüft.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-31946 is a critical vulnerability in OpenOLAT allowing attackers to bypass authentication by manipulating JWT signatures. Versions 10.5.4 through 20.2.4 are affected, potentially granting unauthorized access.
If you are running OpenOLAT versions 10.5.4 to 20.2.4, you are potentially affected. Verify your version and upgrade immediately if vulnerable.
Upgrade OpenOLAT to version 20.2.5 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation if immediate upgrade is not possible.
While no active exploitation has been confirmed publicly, the vulnerability's ease of exploitation suggests it is likely to be targeted. Monitor your systems closely.
Refer to the official OpenOLAT security advisory for detailed information and updates: [https://www.openolat.org/security-advisories](https://www.openolat.org/security-advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.