OpenLearn, a community‑driven educational forum, had a flaw whereby posts awaiting approval were hidden from the public feed when moderation mode was active, but the direct read operation continued to return the full post content to anyone who could guess or know the post’s UUID. This constitutes an unauthorized read of private data under CWE‑284. The result is that sensitive or confidential information inadvertently tied to a pending post could be leaked to the public or to any attacker who obtains the ID, leading to potential privacy violations and misuse of content that is not yet vetted for publication.

The issue affects any installation of OpenLearn running a version prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab. No specific version numbers are listed, but any build incorporating the code base before this fix is vulnerable. The vendor listed in the CNA is siemvk:OpenLearn.

The CVSS score of 6.9 indicates moderate severity, and the EPSS score of < 1% suggests a low likelihood of exploitation in the current environment. The vulnerability is accessible remotely via the standard post‑retrieval endpoint and requires no authentication, implying that an attacker can easily trigger it if the post UUID is known. Although it is not flagged in the CISA KEV catalog, the lack of a broader exploitation trend does not negate the potential impact on organizations that rely on confidentiality for unapproved content.