Description
Open edX Platform enables the authoring and delivery of online learning at any scale. he view_survey endpoint accepts a redirect_url GET parameter that is passed directly to HttpResponseRedirect() without any URL validation. When a non-existent survey name is provided, the server issues an immediate HTTP 302 redirect to the attacker-controlled URL. Additionally, the same unvalidated URL is embedded in a hidden form field and returned in a JSON response after form submission, where client-side JavaScript performs location.href = url. This enables phishing and credential theft attacks against authenticated Open edX users. This vulnerability is fixed with commit 76462f1e5fa9b37d2621ad7ad19514b403908970.
Published: 2026-04-06
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect enabling phishing of authenticated users
Action: Apply Patch
AI Analysis

Impact

The vulnerability occurs when the survey view in Open edX accepts an unvalidated redirect_url GET parameter and directly passes it to an HTTP redirect response. This allows an attacker to craft a link that sends a user to a malicious site after logging in, facilitating credential theft or phishing. The weakness aligns with CWE-601, open redirect.

Affected Systems

Open edX Platform (vendor openedx:openedx-platform) is affected; specific version information is not provided in the data.

Risk and Exploitability

The CVSS score is 4.7, indicating a moderate risk. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this via a web request to the survey endpoint, requiring no special conditions beyond the ability to craft the redirect_url parameter, making it relatively straightforward for malicious actors targeting authenticated users.

Generated by OpenCVE AI on April 7, 2026 at 02:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit 76462f1e5fa9b37d2621ad7ad19514b403908970 to the Open edX Platform

Generated by OpenCVE AI on April 7, 2026 at 02:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Openedx openedx
CPEs cpe:2.3:a:openedx:openedx:*:*:*:*:*:*:*:*
Vendors & Products Openedx openedx

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Openedx
Openedx openedx-platform
Vendors & Products Openedx
Openedx openedx-platform

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Open edX Platform enables the authoring and delivery of online learning at any scale. he view_survey endpoint accepts a redirect_url GET parameter that is passed directly to HttpResponseRedirect() without any URL validation. When a non-existent survey name is provided, the server issues an immediate HTTP 302 redirect to the attacker-controlled URL. Additionally, the same unvalidated URL is embedded in a hidden form field and returned in a JSON response after form submission, where client-side JavaScript performs location.href = url. This enables phishing and credential theft attacks against authenticated Open edX users. This vulnerability is fixed with commit 76462f1e5fa9b37d2621ad7ad19514b403908970.
Title Open edX Platform has an Open Redirect in Survey Views via Unvalidated redirect_url Parameter
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Openedx Openedx Openedx-platform
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T16:17:47.603Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35404

cve-icon Vulnrichment

Updated: 2026-04-07T16:17:44.671Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T22:16:21.360

Modified: 2026-04-16T04:41:09.670

Link: CVE-2026-35404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:36:55Z

Weaknesses