Description
OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to version 2.0.3, a remote code execution (RCE) vulnerability was identified in the OpenLearnX code execution environment, allowing sandbox escape and arbitrary command execution. This issue has been patched in version 2.0.3.
Published: 2026-05-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenLearnX allowed an attacker to escape the Python sandbox used in its code execution environment, enabling arbitrary execution of system commands on the host. The flaw is a classic privilege escalation vulnerability that can compromise the confidentiality, integrity, and availability of the affected server. The vendor lists the weakness under several CWE identifiers indicating issues with hard‑coded privilege, authentication bypass, missing input validation, OS command injection, and code injection.

Affected Systems

OpenLearnX versions prior to 2.0.3 are impacted; the forward‑compatibility of this issue is tied to the code execution module that shipped with releases up to and including 2.0.2. The patch was bundled in the 2.0.3 release and subsequent security builds.

Risk and Exploitability

The CVSS score of 8.8 signifies high severity, and while a concrete EPSS score is not available, the absence of an EPSS entry suggests limited current exploitation data. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote attacker leveraging a public code execution endpoint, bypassing sandbox controls, and executing arbitrary shell commands. Payload delivery could occur through the platform’s learning or assessment interfaces that accept user‑submitted Python code.

Generated by OpenCVE AI on May 8, 2026 at 05:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenLearnX to version 2.0.3 or later, which contains the patch for the sandbox escape issue.
  • If a rapid upgrade is not feasible, block or restrict access to the code execution endpoint by firewalling or restricting it to trusted IP ranges, or disable the feature entirely through configuration.
  • Regularly monitor official GitHub advisories and security releases for OpenLearnX to ensure any new patches are applied without delay.

Generated by OpenCVE AI on May 8, 2026 at 05:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8h25-q488-4hxw OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment
History

Fri, 29 May 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:th30d4y:openlearnx:2.0.1:*:*:*:*:node.js:*:*

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Th30d4y
Th30d4y openlearnx
Vendors & Products Th30d4y
Th30d4y openlearnx

Fri, 08 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to version 2.0.3, a remote code execution (RCE) vulnerability was identified in the OpenLearnX code execution environment, allowing sandbox escape and arbitrary command execution. This issue has been patched in version 2.0.3.
Title OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment
Weaknesses CWE-250
CWE-284
CWE-693
CWE-78
CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Th30d4y Openlearnx
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T12:54:17.267Z

Reserved: 2026-04-22T15:11:54.672Z

Link: CVE-2026-41900

cve-icon Vulnrichment

Updated: 2026-05-08T12:54:13.095Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T04:16:18.710

Modified: 2026-05-29T14:54:23.353

Link: CVE-2026-41900

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:26:10Z

Weaknesses