Platform
nodejs
Component
polarnl/polarnl
Fixed in
0.0.1
CVE-2026-39322 describes an authentication bypass vulnerability discovered in PolarLearn, a free and open-source learning program. This flaw allows banned user accounts to create valid sessions and bypass authentication checks, granting access to sensitive data and enabling unauthorized actions. The vulnerability affects versions 0.0.0 up to and including v0-PRERELEASE-15, but a fix is available in version 0.0.2.
An attacker exploiting this vulnerability can bypass the intended restrictions placed on banned user accounts. By crafting a specific POST request to the /api/v1/auth/sign-in endpoint, an attacker can create a valid session even if the account is flagged as banned. This session is then accepted across authenticated API routes, effectively allowing the attacker to impersonate the banned user. The potential impact includes unauthorized access to account data, modification of learning materials, and potentially even administrative actions depending on the permissions associated with the banned account. This could compromise the integrity and confidentiality of the learning platform.
CVE-2026-39322 was publicly disclosed on 2026-04-07. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. Given the relatively straightforward nature of the bypass, it is possible that attackers may develop and deploy exploits in the future.
Exploit Status
EPSS
0.05% (14% percentile)
The primary mitigation for CVE-2026-39322 is to upgrade PolarLearn to version 0.0.2 or later, which contains the fix for this authentication bypass. If upgrading is not immediately feasible, consider implementing temporary workarounds such as stricter input validation on the /api/v1/auth/sign-in endpoint to prevent the creation of sessions for banned accounts. Review and enhance existing ban enforcement mechanisms to ensure they are correctly preventing access to authenticated routes. Monitor API logs for suspicious login attempts or unusual activity associated with banned accounts.
Update PolarLearn to version 0.0.2 or higher to mitigate the vulnerability. This update corrects the issue by verifying the password before creating a session for banned accounts, preventing unauthorized access to account data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39322 is an authentication bypass vulnerability in PolarLearn versions 0.0.0 through v0-PRERELEASE-15, allowing banned accounts to access data and perform actions.
If you are using PolarLearn version 0.0.0 through v0-PRERELEASE-15, you are potentially affected by this vulnerability.
Upgrade PolarLearn to version 0.0.2 or later to resolve the authentication bypass vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the PolarLearn project's official website or repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.