Platform
other
Component
openolat
Fixed in
10.5.5
CVE-2026-31946 represents a critical Authentication Bypass vulnerability affecting OpenOLAT e-learning platforms. This flaw allows attackers to circumvent authentication mechanisms by exploiting weaknesses in the OpenID Connect implicit flow's JWT signature verification process. The vulnerability impacts versions 10.5.4 up to, but not including, 20.2.5, and a fix is available in version 20.2.5.
An attacker can exploit this vulnerability to gain unauthorized access to OpenOLAT systems without proper authentication. By manipulating JWT signatures, they can bypass the intended security checks and impersonate legitimate users. This could lead to data breaches, modification of course content, unauthorized access to student records, and potentially complete control over the OpenOLAT instance. The lack of signature verification means any crafted JWT will be accepted, making exploitation relatively straightforward. This vulnerability shares similarities with other JWT-related bypasses where signature validation is insufficient.
CVE-2026-31946 was publicly disclosed on 2026-03-30. The vulnerability is considered high probability due to the ease of exploitation and the critical nature of the impact. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature suggests that a PoC is likely to emerge. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade OpenOLAT to version 20.2.5 or later, which includes the necessary signature verification fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests with malformed or unsigned JWTs. Carefully review and restrict OpenID Connect client configurations to minimize the attack surface. Monitor OpenOLAT logs for suspicious JWT activity, specifically looking for requests without valid signatures. While not a direct fix, ensuring proper network segmentation can limit the potential blast radius if a breach occurs.
Update OpenOLAT to version 20.2.5 or higher. This version fixes the authentication bypass vulnerability by correctly verifying JWT signatures in the OIDC implicit flow.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31946 is a critical vulnerability in OpenOLAT allowing attackers to bypass authentication by manipulating JWT signatures. Versions 10.5.4 through 20.2.4 are affected, potentially granting unauthorized access.
If you are running OpenOLAT versions 10.5.4 to 20.2.4, you are potentially affected. Verify your version and upgrade immediately if vulnerable.
Upgrade OpenOLAT to version 20.2.5 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation if immediate upgrade is not possible.
While no active exploitation has been confirmed publicly, the vulnerability's ease of exploitation suggests it is likely to be targeted. Monitor your systems closely.
Refer to the official OpenOLAT security advisory for detailed information and updates: [https://www.openolat.org/security-advisories](https://www.openolat.org/security-advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.