Plateforme
python
Composant
openedx-platform
Corrigé dans
ulmo
CVE-2026-34736 is a vulnerability in the Open edX Platform affecting versions from maple up to, but not including, ulmo. An unauthenticated attacker can bypass the email verification process, potentially gaining unauthorized access to user accounts. This bypass is achieved by exploiting the OAuth2 password grant issuing tokens to inactive users and the subsequent exposure of the activation key in the REST API. The vulnerability has been patched in the ulmo release.
Successful exploitation of CVE-2026-34736 allows an attacker to bypass the email verification process in Open edX. This means an attacker could potentially create and access user accounts without needing to verify the associated email address. The impact extends to the compromise of user accounts, potentially leading to unauthorized access to learning materials, course data, and personal information stored within the platform. While the vulnerability requires combining two factors (inactive user and exposed API key), the potential for widespread account takeover is significant, particularly in environments with a large number of inactive users.
This vulnerability was publicly disclosed on 2026-04-02. Currently, there are no known public proof-of-concept exploits available. The vulnerability's severity is rated as Medium (CVSS 5.3). It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed at this time, but the ease of exploitation, combined with the potential impact, warrants careful monitoring.
Educational institutions and organizations utilizing Open edX Platform for online learning are at risk. Specifically, deployments using the maple release and those with a significant number of inactive user accounts are particularly vulnerable. Shared hosting environments running Open edX may also be at increased risk due to potential limitations in access control and monitoring.
• python / server:
import requests
url = "https://your-openedx-instance/api/user/v1/accounts/"
try:
response = requests.get(url)
if response.status_code == 200:
print("Activation key potentially exposed in response:", response.json())
else:
print("Endpoint returned status code:", response.status_code)
except requests.exceptions.RequestException as e:
print("Error connecting to endpoint:", e)• linux / server:
journalctl -u openedx -f | grep "activation_key"• generic web:
Use a web proxy or browser extension to inspect the response from /api/user/v1/accounts/ for the presence of an activation_key field in the JSON response.
disclosure
Statut de l'Exploit
EPSS
0.07% (percentile 20%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-34736 is to upgrade Open edX Platform to version ulmo or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Restricting access to the /api/user/v1/accounts/ endpoint to authenticated users only can help prevent the exposure of activation keys. Additionally, review OAuth2 configurations to ensure that tokens are not being issued to inactive users. Monitor API logs for suspicious activity related to account creation and activation.
Mettez à jour Open edX Platform à la version ulmo ou ultérieure. Cette version corrige la vulnérabilité permettant de contourner la vérification par e-mail en exposant la clé d'activation dans l'API REST.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-34736 is a vulnerability in Open edX Platform allowing an unauthenticated attacker to bypass email verification by exploiting OAuth2 token issuance and API exposure, impacting versions maple–< ulmo.
You are affected if you are running Open edX Platform versions maple up to, but not including, ulmo. Check your version and upgrade if necessary.
Upgrade Open edX Platform to version ulmo or later to resolve the vulnerability. Consider temporary workarounds like restricting API access if immediate upgrading is not possible.
Active exploitation is not confirmed at this time, but the vulnerability's ease of exploitation warrants careful monitoring.
Refer to the official Open edX security advisories on their website for detailed information and updates regarding CVE-2026-34736.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.