Description
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, the OAuth 2.0 implementation for GitHub and Google login providers is vulnerable to Login Cross-Site Request Forgery (CSRF). The application fails to implement and verify the state parameter during the authentication flow. This allows an attacker to pre-authenticate a session and trick a victim into logging into the attacker's account. Any data the victim then enters or academic progress they make is stored on the attacker's account, leading to data loss for the victim and information disclosure to the attacker.
Published: 2026-02-02
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Login Cross-Site Request Forgery leading to data loss and information disclosure
Action: Apply Patch
AI Analysis

Impact

PolarLearn can be tricked into using a pre‑authenticated session from an attacker when the OAuth 2.0 flow omits the required state parameter. The flaw allows an attacker to have a victim log in as the attacker’s account, after which any content the victim creates or data entered is recorded under the attacker’s profile. As a result, the victim suffers loss of data and the attacker gains unauthorized access to the victim’s information.

Affected Systems

The vulnerability affects the PolarLearn application from vendor polarnl, specifically versions 0‑PRERELEASE‑15 and all earlier releases. Versions that include state parameter validation after the commit 44669bbb5b647c7625f22dd82f3121c7d7bfbe19 are not impacted.

Risk and Exploitability

With a CVSS score of 2.3 and an EPSS probability of less than 1%, the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The attack would require an attacker to supply a link that forces a victim’s browser to initiate an OAuth request, relying on the victim to interact with the login flow. The gain is limited to data owned by the victim and the attacker’s account, but the impact on confidentiality and integrity of the victim’s account is significant. Given the low exploit probability and absence of a known public exploit, the risk is considered moderate but should still be mitigated promptly.

Generated by OpenCVE AI on April 18, 2026 at 00:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PolarLearn to version 0‑PRERELEASE‑16 or later, which implements state parameter verification for GitHub and Google OAuth.
  • If an upgrade cannot be performed immediately, modify the OAuth configuration to enforce the generation and validation of a state parameter, preventing cross‑site request forgery.
  • Educate users to recognize and avoid unsolicited login prompts, and monitor for any unauthorized account activity.

Generated by OpenCVE AI on April 18, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Polarlearn
Polarlearn polarlearn
CPEs cpe:2.3:a:plarnl:polarlearn:-:*:*:*:*:*:*:* cpe:2.3:a:polarlearn:polarlearn:-:*:*:*:*:*:*:*
Vendors & Products Plarnl
Plarnl polarlearn
Polarlearn
Polarlearn polarlearn

Fri, 20 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Plarnl
Plarnl polarlearn
CPEs cpe:2.3:a:plarnl:polarlearn:-:*:*:*:*:*:*:*
Vendors & Products Plarnl
Plarnl polarlearn
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Polarnl
Polarnl polarlearn
Vendors & Products Polarnl
Polarnl polarlearn

Tue, 03 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, the OAuth 2.0 implementation for GitHub and Google login providers is vulnerable to Login Cross-Site Request Forgery (CSRF). The application fails to implement and verify the state parameter during the authentication flow. This allows an attacker to pre-authenticate a session and trick a victim into logging into the attacker's account. Any data the victim then enters or academic progress they make is stored on the attacker's account, leading to data loss for the victim and information disclosure to the attacker.
Title PolarLearn has Multiple Login CSRFs via Missing OAuth state Parameter (GitHub & Google)
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Polarlearn Polarlearn
Polarnl Polarlearn
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T19:52:26.258Z

Reserved: 2026-01-30T14:44:47.327Z

Link: CVE-2026-25221

cve-icon Vulnrichment

Updated: 2026-02-03T19:52:22.853Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:09.757

Modified: 2026-02-20T20:45:57.853

Link: CVE-2026-25221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses