Description
OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.
Published: 2026-03-30
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass via forged JWT
Action: Patch Now
AI Analysis

Impact

OpenOLAT’s OpenID Connect implicit flow implementation fails to verify JWT signatures. The JSONWebToken.parse() method discards the signature segment of the compact JWT, and the token validation methods in OpenIdConnectApi and OpenIdConnectFullConfigurableApi only confirm claim‑level fields such as issuer, audience, state, and nonce without performing cryptographic signature verification against the Identity Provider’s JWKS endpoint. This flaw enables an attacker to supply a forged JWT that passes the claim checks and obtain an access token that authenticates as any user, effectively bypassing authentication.

Affected Systems

OpenOLAT installations distributed by Frentix with versions ranging from 10.5.4 up to but not including 20.2.5 are affected. The vulnerability was addressed in version 20.2.5 when proper JWT signature verification was restored.

Risk and Exploitability

The CVSS score of 9.8 denotes critical severity, while the EPSS score of less than 1% suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploits at present. The likely attack vector is the OIDC implicit flow, where an attacker can supply a forged token without needing additional privileges to bypass authentication.

Generated by OpenCVE AI on April 2, 2026 at 23:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to OpenOLAT version 20.2.5 or later to re‑enable JWT signature verification.
  • Validate that the OIDC endpoints enforce signature verification and fully validate required claims.
  • If an upgrade cannot be performed immediately, consider disabling the OIDC implicit flow endpoint to prevent exploitation until a patch is applied.

Generated by OpenCVE AI on April 2, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Frentix
Frentix openolat
CPEs cpe:2.3:a:frentix:openolat:*:*:*:*:*:*:*:*
Vendors & Products Frentix
Frentix openolat

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Openolat
Openolat openolat
Vendors & Products Openolat
Openolat openolat

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.
Title OpenOLAT: Authentication bypass via forged JWT in OIDC implicit flow
Weaknesses CWE-287
CWE-347
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Frentix Openolat
Openolat Openolat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T14:08:07.327Z

Reserved: 2026-03-10T15:10:10.656Z

Link: CVE-2026-31946

cve-icon Vulnrichment

Updated: 2026-03-31T14:08:03.414Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T21:17:09.440

Modified: 2026-04-02T16:49:44.503

Link: CVE-2026-31946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:03Z

Weaknesses