Description
Open edX Platform enables the authoring and delivery of online learning at any scale. The sync_provider_data endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL via the metadata_url POST parameter. This URL is passed directly to requests.get() in fetch_metadata_xml() without any URL validation, IP filtering, or scheme enforcement. An attacker with Enterprise Admin privileges can force the server to make HTTP requests to internal network services, cloud metadata endpoints (e.g., AWS 169.254.169.254), or other attacker-controlled destinations. This vulnerability is fixed by commit 6fda1f120ff5a590d120ae1180185525f399c6d0 and 70a56246dd9c9df57c596e64bdd8a11b1d9da054.
Published: 2026-05-11
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Open edX Platform includes a sync_provider_data endpoint that permits Enterprise Admin users to submit an arbitrary metadata URL. The server forwards this URL to requests.get() without validating the scheme, enforcing IP filtering, or applying a whitelist. This lack of validation allows the request to be directed to any host reachable from the server, effectively giving the attacker a server‑side request forgery capability. An attacker who can achieve Enterprise Admin privileges can cause the platform to contact internal services, cloud metadata endpoints such as AWS’s 169.254.169.254, or any external hosts, potentially exposing sensitive data or facilitating further compromise.

Affected Systems

Any deployment of the Open edX Platform that includes the sync_provider_data endpoint exposed prior to the security fix. The affected product is Open edX Platform (openedx:openedx-platform). No specific version range is listed, so all versions before the patches identified in the advisory are considered vulnerable.

Risk and Exploitability

The severity of the flaw is reflected by a CVSS score of 8.5, classifying it as high impact once the attacker gains the necessary authentication level. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation to date. The attack vector requires an authenticated Enterprise Admin, but once such access is attained the server can contact arbitrary internal resources, presenting a clear path for internal reconnaissance or data exfiltration. Because the flaw is an SSRF, attackers can also attempt to reach privileged cloud service endpoints, enabling further privilege escalation.

Generated by OpenCVE AI on May 11, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Open edX Platform codebase to include the security fix commits, which remove unsanitized URL usage from the sync_provider_data endpoint.
  • If a patch cannot be deployed immediately, limit or remove the ability for Enterprise Admin users to invoke the sync_provider_data action, or enforce strict URL validation to allow only HTTPS URLs from a pre‑approved whitelist.
  • Monitor outbound HTTP requests from the platform for unexpected destinations and block any that target internal IP ranges not intended by normal operation.

Generated by OpenCVE AI on May 11, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Openedx
Openedx openedx-platform
Vendors & Products Openedx
Openedx openedx-platform

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Open edX Platform enables the authoring and delivery of online learning at any scale. The sync_provider_data endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL via the metadata_url POST parameter. This URL is passed directly to requests.get() in fetch_metadata_xml() without any URL validation, IP filtering, or scheme enforcement. An attacker with Enterprise Admin privileges can force the server to make HTTP requests to internal network services, cloud metadata endpoints (e.g., AWS 169.254.169.254), or other attacker-controlled destinations. This vulnerability is fixed by commit 6fda1f120ff5a590d120ae1180185525f399c6d0 and 70a56246dd9c9df57c596e64bdd8a11b1d9da054.
Title Open edX Platform: Server-Side Request Forgery (SSRF) in SAML Provider Data Sync Endpoint
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Openedx Openedx-platform
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T17:30:59.724Z

Reserved: 2026-04-30T16:44:48.379Z

Link: CVE-2026-42858

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:36.263

Modified: 2026-05-11T18:16:36.263

Link: CVE-2026-42858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T21:30:25Z

Weaknesses