Description
Open edX Platform enables the authoring and delivery of online learning at any scale. The view_survey endpoint accepts a redirect_url GET parameter that is passed directly to HttpResponseRedirect() without any URL validation. When a non-existent survey name is provided, the server issues an immediate HTTP 302 redirect to the attacker-controlled URL. Additionally, the same unvalidated URL is embedded in a hidden form field and returned in a JSON response after form submission, where client-side JavaScript performs location.href = url. This enables phishing and credential theft attacks against authenticated Open edX users. This vulnerability is fixed with commit 76462f1e5fa9b37d2621ad7ad19514b403908970.
Published: 2026-04-06
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the view_survey endpoint of Open edX, which accepts a redirect_url GET parameter and passes it directly to HttpResponseRedirect() without validation. When a requester provides a non‑existent survey name, the server immediately issues a 302 redirect to the attacker‑controlled URL. The same unvalidated redirect_url is also injected into a hidden form field and delivered in a JSON response after form submission, where client‑side JavaScript sets location.href to that URL. These behaviors let an adversary embed a malicious link that redirects authenticated users to phishing sites, enabling credential theft. The issue corresponds to CWE‑601, an open redirect weakness.

Affected Systems

Open edX Platform (vendor openedx:openedx-platform) is affected; specific version information is not provided in the data.

Risk and Exploitability

The CVSS score is 4.7, indicating a moderate risk. The EPSS score of <1% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this via a web request to the survey endpoint, requiring no special conditions beyond the ability to craft the redirect_url parameter, making it relatively straightforward for malicious actors targeting authenticated users.

Generated by OpenCVE AI on May 11, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the patch commit 76462f1e5fa9b37d2621ad7ad19514b403908970 in the Open edX Platform codebase
  • Reconfigure the survey endpoint to reject or sanitize any redirect_url queries, removing the parameter if it is not required
  • Deploy a WAF rule that flags or blocks unexpected external redirects originating from the survey endpoint

Generated by OpenCVE AI on May 11, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Open edX Platform enables the authoring and delivery of online learning at any scale. he view_survey endpoint accepts a redirect_url GET parameter that is passed directly to HttpResponseRedirect() without any URL validation. When a non-existent survey name is provided, the server issues an immediate HTTP 302 redirect to the attacker-controlled URL. Additionally, the same unvalidated URL is embedded in a hidden form field and returned in a JSON response after form submission, where client-side JavaScript performs location.href = url. This enables phishing and credential theft attacks against authenticated Open edX users. This vulnerability is fixed with commit 76462f1e5fa9b37d2621ad7ad19514b403908970. Open edX Platform enables the authoring and delivery of online learning at any scale. The view_survey endpoint accepts a redirect_url GET parameter that is passed directly to HttpResponseRedirect() without any URL validation. When a non-existent survey name is provided, the server issues an immediate HTTP 302 redirect to the attacker-controlled URL. Additionally, the same unvalidated URL is embedded in a hidden form field and returned in a JSON response after form submission, where client-side JavaScript performs location.href = url. This enables phishing and credential theft attacks against authenticated Open edX users. This vulnerability is fixed with commit 76462f1e5fa9b37d2621ad7ad19514b403908970.

Thu, 16 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Openedx openedx
CPEs cpe:2.3:a:openedx:openedx:*:*:*:*:*:*:*:*
Vendors & Products Openedx openedx

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Openedx
Openedx openedx-platform
Vendors & Products Openedx
Openedx openedx-platform

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Open edX Platform enables the authoring and delivery of online learning at any scale. he view_survey endpoint accepts a redirect_url GET parameter that is passed directly to HttpResponseRedirect() without any URL validation. When a non-existent survey name is provided, the server issues an immediate HTTP 302 redirect to the attacker-controlled URL. Additionally, the same unvalidated URL is embedded in a hidden form field and returned in a JSON response after form submission, where client-side JavaScript performs location.href = url. This enables phishing and credential theft attacks against authenticated Open edX users. This vulnerability is fixed with commit 76462f1e5fa9b37d2621ad7ad19514b403908970.
Title Open edX Platform has an Open Redirect in Survey Views via Unvalidated redirect_url Parameter
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Openedx Openedx Openedx-platform
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T17:29:17.591Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35404

cve-icon Vulnrichment

Updated: 2026-04-07T16:17:44.671Z

cve-icon NVD

Status : Modified

Published: 2026-04-06T22:16:21.360

Modified: 2026-05-11T18:16:32.343

Link: CVE-2026-35404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T20:15:09Z

Weaknesses