Description
Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exposed in the REST API response at /api/user/v1/accounts/. This issue has been patched in the ulmo release.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized account activation
Action: Patch Immediately
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to bypass the email verification process in Open edX Platform. By exploiting the fact that OAuth2 password grants are issued to inactive users and that the activation_key is exposed in the /api/user/v1/accounts/ REST API response, the attacker can obtain a valid activation key and create a session for the account without confirming the user’s email. This results in unauthorized activation of a user account, potentially granting the attacker access to course content, instructor privileges, or administrative functions, depending on the account role.

Affected Systems

The issue affects the Open edX Platform (openedx:openedx-platform). It exists in all releases from the maple version through and including releases prior to ulmo. The ulmo release contains the patch.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. Because no authentication is required and the exploit relies solely on reading a public API and constructing an OAuth2 token, the attack vector is likely remote and trivial to employ for an attacker with internet access. EPSS is currently unknown and the vulnerability is not listed in the CISA KEV catalog, but the combination of credential exposure and authentication bypass still warrants prompt remediation.

Generated by OpenCVE AI on April 2, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the ulmo release or later, which contains the patch
  • If an upgrade is not immediately possible, remove the activation_key field from the /api/user/v1/accounts/ response and disable OAuth2 password grants for inactive users
  • Verify that the email verification flow enforces account activation before allowing platform access

Generated by OpenCVE AI on April 2, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openedx
Openedx openedx-platform
Vendors & Products Openedx
Openedx openedx-platform

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exposed in the REST API response at /api/user/v1/accounts/. This issue has been patched in the ulmo release.
Title Open edX Platform: Account Activation Bypass via activation_key Exposure in REST API
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Openedx Openedx-platform
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:08:43.532Z

Reserved: 2026-03-30T18:41:20.754Z

Link: CVE-2026-34736

cve-icon Vulnrichment

Updated: 2026-04-03T16:08:40.333Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T19:21:32.867

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34736

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:42Z

Weaknesses