Description
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authenticated /api routes, enabling account data access and authenticated actions as the banned user.
Published: 2026-04-07
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized API access
Action: Patch Immediately
AI Analysis

Impact

The vulnerability in PolarLearn’s authentication endpoint allows any password to authenticate a banned account because the system verifies the password only after creating a session. This results in the creation of a valid session that is then accepted by all authenticated API routes, giving an attacker access to account data and the ability to perform actions as the banned user. The weakness is a loss of authentication control (CWE‑287).

Affected Systems

The affected product is PolarLearn, as supplied by polarlearn. Vulnerable releases are those up to and including 0‑PRERELEASE‑15. Versions 0‑PRERELEASE‑16 and later are not affected.

Risk and Exploitability

The CVSS score of 9.2 indicates a high‑severity problem, and while the EPSS score is below 1% and the vulnerability is not listed in CISA’s KEV catalog, the ability to bypass authentication renders it a critical risk. An attacker would need to send a signed POST request to /api/v1/auth/sign-in with the user’s email and any arbitrary password. The exploit requires network access to the API endpoint; no local privilege escalation or code execution is required.

Generated by OpenCVE AI on April 14, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PolarLearn to version 0-PRERELEASE-16 or newer.
  • Revoke existing sessions for banned accounts and prevent session creation until password is verified.

Generated by OpenCVE AI on April 14, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Polarlearn
Polarlearn polarlearn
CPEs cpe:2.3:a:polarlearn:polarlearn:-:*:*:*:*:*:*:*
Vendors & Products Polarlearn
Polarlearn polarlearn

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Polarnl
Polarnl polarlearn
Vendors & Products Polarnl
Polarnl polarlearn

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authenticated /api routes, enabling account data access and authenticated actions as the banned user.
Title PolarLearn: Any password authenticates banned accounts and grants API access
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Polarlearn Polarlearn
Polarnl Polarlearn
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:16:51.970Z

Reserved: 2026-04-06T19:31:07.266Z

Link: CVE-2026-39322

cve-icon Vulnrichment

Updated: 2026-04-09T16:16:11.808Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:28.773

Modified: 2026-04-14T18:44:29.327

Link: CVE-2026-39322

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses