Plattform
nodejs
Komponente
polarnl/polarnl
Behoben in
0.0.1
CVE-2026-39322 describes an authentication bypass vulnerability discovered in PolarLearn, a free and open-source learning program. This flaw allows banned user accounts to create valid sessions and bypass authentication checks, granting access to sensitive data and enabling unauthorized actions. The vulnerability affects versions 0.0.0 up to and including v0-PRERELEASE-15, but a fix is available in version 0.0.2.
An attacker exploiting this vulnerability can bypass the intended restrictions placed on banned user accounts. By crafting a specific POST request to the /api/v1/auth/sign-in endpoint, an attacker can create a valid session even if the account is flagged as banned. This session is then accepted across authenticated API routes, effectively allowing the attacker to impersonate the banned user. The potential impact includes unauthorized access to account data, modification of learning materials, and potentially even administrative actions depending on the permissions associated with the banned account. This could compromise the integrity and confidentiality of the learning platform.
CVE-2026-39322 was publicly disclosed on 2026-04-07. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. Given the relatively straightforward nature of the bypass, it is possible that attackers may develop and deploy exploits in the future.
Organizations and individuals using PolarLearn versions 0.0.0 through v0-PRERELEASE-15 are at risk. This includes educational institutions, training providers, and anyone utilizing PolarLearn for online learning programs. Shared hosting environments running PolarLearn are particularly vulnerable, as a compromise of one account could potentially lead to broader access.
• nodejs / server:
# Check for PolarLearn processes
ps aux | grep PolarLearn
# Monitor API logs for suspicious login attempts from banned accounts (check for 'banned' status in user records)
grep 'banned' /var/log/polarlearn/api.log• generic web:
# Check for exposed /api/v1/auth/sign-in endpoint
curl -I https://your-polarlearn-instance/api/v1/auth/sign-indisclosure
Exploit-Status
EPSS
0.05% (14% Perzentil)
The primary mitigation for CVE-2026-39322 is to upgrade PolarLearn to version 0.0.2 or later, which contains the fix for this authentication bypass. If upgrading is not immediately feasible, consider implementing temporary workarounds such as stricter input validation on the /api/v1/auth/sign-in endpoint to prevent the creation of sessions for banned accounts. Review and enhance existing ban enforcement mechanisms to ensure they are correctly preventing access to authenticated routes. Monitor API logs for suspicious login attempts or unusual activity associated with banned accounts.
Aktualisieren Sie PolarLearn auf Version 0.0.2 oder höher, um die Schwachstelle zu beheben. Dieses Update behebt das Problem, indem es das Passwort überprüft, bevor eine Sitzung für gesperrte Konten erstellt wird, wodurch unautorisierter Zugriff auf Kontodaten verhindert wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-39322 is an authentication bypass vulnerability in PolarLearn versions 0.0.0 through v0-PRERELEASE-15, allowing banned accounts to access data and perform actions.
If you are using PolarLearn version 0.0.0 through v0-PRERELEASE-15, you are potentially affected by this vulnerability.
Upgrade PolarLearn to version 0.0.2 or later to resolve the authentication bypass vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the PolarLearn project's official website or repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.