Platform
python
Component
openedx-platform
Fixed in
ulmo
CVE-2026-34736 is a vulnerability in the Open edX Platform affecting versions from maple up to, but not including, ulmo. An unauthenticated attacker can bypass the email verification process, potentially gaining unauthorized access to user accounts. This bypass is achieved by exploiting the OAuth2 password grant issuing tokens to inactive users and the subsequent exposure of the activation key in the REST API. The vulnerability has been patched in the ulmo release.
Successful exploitation of CVE-2026-34736 allows an attacker to bypass the email verification process in Open edX. This means an attacker could potentially create and access user accounts without needing to verify the associated email address. The impact extends to the compromise of user accounts, potentially leading to unauthorized access to learning materials, course data, and personal information stored within the platform. While the vulnerability requires combining two factors (inactive user and exposed API key), the potential for widespread account takeover is significant, particularly in environments with a large number of inactive users.
This vulnerability was publicly disclosed on 2026-04-02. Currently, there are no known public proof-of-concept exploits available. The vulnerability's severity is rated as Medium (CVSS 5.3). It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed at this time, but the ease of exploitation, combined with the potential impact, warrants careful monitoring.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34736 is to upgrade Open edX Platform to version ulmo or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Restricting access to the /api/user/v1/accounts/ endpoint to authenticated users only can help prevent the exposure of activation keys. Additionally, review OAuth2 configurations to ensure that tokens are not being issued to inactive users. Monitor API logs for suspicious activity related to account creation and activation.
Update Open edX Platform to the ulmo version or later. This version fixes the vulnerability that allows email verification bypass by exposing the activation key in the REST API.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34736 is a vulnerability in Open edX Platform allowing an unauthenticated attacker to bypass email verification by exploiting OAuth2 token issuance and API exposure, impacting versions maple–< ulmo.
You are affected if you are running Open edX Platform versions maple up to, but not including, ulmo. Check your version and upgrade if necessary.
Upgrade Open edX Platform to version ulmo or later to resolve the vulnerability. Consider temporary workarounds like restricting API access if immediate upgrading is not possible.
Active exploitation is not confirmed at this time, but the vulnerability's ease of exploitation warrants careful monitoring.
Refer to the official Open edX security advisories on their website for detailed information and updates regarding CVE-2026-34736.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.