CVE-2026-25221: CSRF in PolarLearn v0-PRERELEASE-15
Platform
other
Component
polarlearn
Fixed in
0.0.1
CVE-2026-25221 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting PolarLearn, a free and open-source learning program. This flaw allows attackers to leverage the OAuth 2.0 implementation for GitHub and Google login providers to hijack user sessions. The vulnerability exists in versions up to v0-PRERELEASE-15, and a fix is available in version 0.0.1.
Impact and Attack Scenarios
An attacker can exploit this CSRF vulnerability to trick a legitimate user into unknowingly performing actions on their behalf within PolarLearn. Specifically, the attacker can pre-authenticate a session using the victim's GitHub or Google account. Any data the victim subsequently enters, such as academic progress or personal information, will be stored on the attacker's account, leading to data loss for the victim. Furthermore, the attacker gains access to information associated with the victim's account, resulting in information disclosure. This vulnerability highlights the importance of proper state parameter validation in OAuth 2.0 flows.
Exploitation Context
CVE-2026-25221 was publicly disclosed on 2026-02-02. There is currently no known public proof-of-concept (POC) available. The vulnerability is not listed on the CISA KEV catalog. The probability of exploitation is currently considered low due to the lack of a public POC and the relatively recent disclosure.
Threat Intelligence
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-25221 is to immediately upgrade PolarLearn to version 0.0.1 or later, which contains the fix for this CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which PolarLearn can load resources. Additionally, educate users about the risks of clicking on suspicious links or visiting untrusted websites while logged into PolarLearn. While a WAF may offer some protection, it is not a substitute for patching the application.
How to fix
Update PolarLearn to a version later than 0-PRERELEASE-15. This corrects the CSRF vulnerability in the OAuth 2.0 authentication for the GitHub and Google login providers. The update implements the verification of the state parameter during the authentication flow, preventing an attacker from pre-authenticating a session and tricking the victim into logging into the attacker's account.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-25221 — CSRF in PolarLearn?
CVE-2026-25221 is a Cross-Site Request Forgery (CSRF) vulnerability in PolarLearn versions up to v0-PRERELEASE-15, allowing attackers to hijack user sessions via GitHub and Google OAuth login.
Am I affected by CVE-2026-25221 in PolarLearn?
You are affected if you are using PolarLearn versions prior to 0.0.1 and rely on GitHub or Google for authentication.
How do I fix CVE-2026-25221 in PolarLearn?
Upgrade PolarLearn to version 0.0.1 or later to resolve the vulnerability. Consider implementing a Content Security Policy (CSP) as a temporary mitigation.
Is CVE-2026-25221 being actively exploited?
There is currently no confirmed active exploitation of CVE-2026-25221, but the lack of a public proof-of-concept does not guarantee safety.
Where can I find the official PolarLearn advisory for CVE-2026-25221?
Refer to the PolarLearn project's official website or repository for the latest security advisories and updates.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.