CVE-2026-31946 - Vulnerability Details

Description

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.

Published: 2026-03-30

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

OpenOLAT versions 10.5.4 through just before 20.2.5 implement the OpenID Connect implicit flow without verifying JWT signatures. The JWT parsing routine silently removes the signature segment, and the token validation functions only check claim-level fields such as issuer, audience, state, and nonce. Consequently an attacker can forge a JWT and use it to bypass authentication, gaining unauthorized access to the platform, its courses, assessment data, and potentially personal user information.

Affected Systems

The vulnerability affects installations of OpenOLAT covered on the path OpenOLAT:OpenOLAT, specifically from release 10.5.4 up to but not including version 20.2.5. Any deployment of those release candidates using the default OIDC implicit flow is susceptible.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, with a high likelihood that a remote attacker can exploit it via the web interface by crafting and submitting a forged JWT. While EPSS data is not available, the absence of the vulnerability in the KEV catalog does not mitigate the high risk presented by the lack of signature verification. Attackers can simply redirect users to a malicious OIDC flow, submitting a forged token that the server accepts and thus impersonate any user without any local system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenOLAT

affected

Version	Status	Constraints
`>= 10.5.4, < 20.2.5`	affected	—

No data.

Vendor Product Confidence Versions

Openolat

100%

Version	Status	Scheme	Platform
`[10.5.4,20.2.5)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenOLAT to version 20.2.5 or later, where the JWT signature is correctly validated.

Generated by OpenCVE AI on March 31, 2026 at 05:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-v8vp-x4q4-2vch

History

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openolat Openolat openolat
Vendors & Products		Openolat Openolat openolat

Tue, 31 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.
Title		OpenOLAT: Authentication bypass via forged JWT in OIDC implicit flow
Weaknesses		CWE-287 CWE-347
References		https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-v8vp-x4q4-2vch
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Openolat Openolat

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-30T20:31:14.919Z

Updated: 2026-03-31T14:08:07.327Z

Reserved: 2026-03-10T15:10:10.656Z

Link: CVE-2026-31946

Vulnrichment

Updated: 2026-03-31T14:08:03.414Z

NVD

Status : Received

Published: 2026-03-30T21:17:09.440

Modified: 2026-03-30T21:17:09.440

Link: CVE-2026-31946

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-31T20:40:07Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object