Plataforma
nodejs
Componente
polarnl/polarnl
Corrigido em
0.0.1
CVE-2026-39322 describes an authentication bypass vulnerability discovered in PolarLearn, a free and open-source learning program. This flaw allows banned user accounts to create valid sessions and bypass authentication checks, granting access to sensitive data and enabling unauthorized actions. The vulnerability affects versions 0.0.0 up to and including v0-PRERELEASE-15, but a fix is available in version 0.0.2.
An attacker exploiting this vulnerability can bypass the intended restrictions placed on banned user accounts. By crafting a specific POST request to the /api/v1/auth/sign-in endpoint, an attacker can create a valid session even if the account is flagged as banned. This session is then accepted across authenticated API routes, effectively allowing the attacker to impersonate the banned user. The potential impact includes unauthorized access to account data, modification of learning materials, and potentially even administrative actions depending on the permissions associated with the banned account. This could compromise the integrity and confidentiality of the learning platform.
CVE-2026-39322 was publicly disclosed on 2026-04-07. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. Given the relatively straightforward nature of the bypass, it is possible that attackers may develop and deploy exploits in the future.
Organizations and individuals using PolarLearn versions 0.0.0 through v0-PRERELEASE-15 are at risk. This includes educational institutions, training providers, and anyone utilizing PolarLearn for online learning programs. Shared hosting environments running PolarLearn are particularly vulnerable, as a compromise of one account could potentially lead to broader access.
• nodejs / server:
# Check for PolarLearn processes
ps aux | grep PolarLearn
# Monitor API logs for suspicious login attempts from banned accounts (check for 'banned' status in user records)
grep 'banned' /var/log/polarlearn/api.log• generic web:
# Check for exposed /api/v1/auth/sign-in endpoint
curl -I https://your-polarlearn-instance/api/v1/auth/sign-indisclosure
Status do Exploit
EPSS
0.05% (percentil 14%)
The primary mitigation for CVE-2026-39322 is to upgrade PolarLearn to version 0.0.2 or later, which contains the fix for this authentication bypass. If upgrading is not immediately feasible, consider implementing temporary workarounds such as stricter input validation on the /api/v1/auth/sign-in endpoint to prevent the creation of sessions for banned accounts. Review and enhance existing ban enforcement mechanisms to ensure they are correctly preventing access to authenticated routes. Monitor API logs for suspicious login attempts or unusual activity associated with banned accounts.
Atualize PolarLearn para a versão 0.0.2 ou superior para mitigar a vulnerabilidade. Esta atualização corrige o problema ao verificar a senha antes de criar uma sessão para contas banidas, prevenindo o acesso não autorizado aos dados da conta.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-39322 is an authentication bypass vulnerability in PolarLearn versions 0.0.0 through v0-PRERELEASE-15, allowing banned accounts to access data and perform actions.
If you are using PolarLearn version 0.0.0 through v0-PRERELEASE-15, you are potentially affected by this vulnerability.
Upgrade PolarLearn to version 0.0.2 or later to resolve the authentication bypass vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the PolarLearn project's official website or repository for the latest security advisories and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.