Plateforme
other
Composant
polarlearn
Corrigé dans
0.0.1
CVE-2026-25221 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting PolarLearn, a free and open-source learning program. This flaw allows attackers to leverage the OAuth 2.0 implementation for GitHub and Google login providers to hijack user sessions. The vulnerability exists in versions up to v0-PRERELEASE-15, and a fix is available in version 0.0.1.
An attacker can exploit this CSRF vulnerability to trick a legitimate user into unknowingly performing actions on their behalf within PolarLearn. Specifically, the attacker can pre-authenticate a session using the victim's GitHub or Google account. Any data the victim subsequently enters, such as academic progress or personal information, will be stored on the attacker's account, leading to data loss for the victim. Furthermore, the attacker gains access to information associated with the victim's account, resulting in information disclosure. This vulnerability highlights the importance of proper state parameter validation in OAuth 2.0 flows.
CVE-2026-25221 was publicly disclosed on 2026-02-02. There is currently no known public proof-of-concept (POC) available. The vulnerability is not listed on the CISA KEV catalog. The probability of exploitation is currently considered low due to the lack of a public POC and the relatively recent disclosure.
Educational institutions and individuals using PolarLearn for online learning are at risk. Specifically, users who rely on GitHub or Google for authentication are particularly vulnerable. Those using older, unpatched versions of PolarLearn are most susceptible to exploitation.
disclosure
Statut de l'Exploit
EPSS
0.01% (percentile 2%)
CISA SSVC
The primary mitigation for CVE-2026-25221 is to immediately upgrade PolarLearn to version 0.0.1 or later, which contains the fix for this CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which PolarLearn can load resources. Additionally, educate users about the risks of clicking on suspicious links or visiting untrusted websites while logged into PolarLearn. While a WAF may offer some protection, it is not a substitute for patching the application.
Mettez à jour PolarLearn à une version ultérieure à 0-PRERELEASE-15. Cela corrige la vulnérabilité CSRF dans l'authentification OAuth 2.0 pour les fournisseurs de connexion GitHub et Google. La mise à jour implémente la vérification du paramètre state pendant le flux d'authentification, empêchant un attaquant de pré-authentifier une session et de tromper la victime pour qu'elle se connecte au compte de l'attaquant.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-25221 is a Cross-Site Request Forgery (CSRF) vulnerability in PolarLearn versions up to v0-PRERELEASE-15, allowing attackers to hijack user sessions via GitHub and Google OAuth login.
You are affected if you are using PolarLearn versions prior to 0.0.1 and rely on GitHub or Google for authentication.
Upgrade PolarLearn to version 0.0.1 or later to resolve the vulnerability. Consider implementing a Content Security Policy (CSP) as a temporary mitigation.
There is currently no confirmed active exploitation of CVE-2026-25221, but the lack of a public proof-of-concept does not guarantee safety.
Refer to the PolarLearn project's official website or repository for the latest security advisories and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.