Description
The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the sync_provider_data endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadata_source. An authenticated user with the Enterprise Admin role can set this field to an arbitrary URL via the SAMLProviderConfigViewSet PATCH endpoint, then trigger a server-side HTTP request by calling sync_provider_data. The fetch in fetch_metadata_xml() passes the URL directly to requests.get() with no scheme enforcement, IP filtering, or timeout. This vulnerability is fixed in 7.0.5.
Published: 2026-05-11
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the sync_provider_data endpoint of Open edx Enterprise Service versions 7.0.2 through 7.0.4. An authenticated user with Enterprise Admin privileges can modify the metadata_source URL, then invoke sync_provider_data to make an unfiltered server‑side HTTP request to that URL. Because the request is performed with requests.get() without scheme validation, IP filtering, or a timeout, the application is susceptible to server‑side request forgery that can expose internal resources, access privileged data, or facilitate further attacks. The weakness is CWE‑918.

Affected Systems

The affected product is Open edx Enterprise (edx-enterprise) version 7.0.2, 7.0.3, and 7.0.4. The issue is resolved in 7.0.5 and later releases. Users running any of the vulnerable versions should consider their deployment of the sync_provider_data endpoint reachable from the Enterprise Admin role.

Risk and Exploitability

The CVSS vector indicates a base score of 8.5, classifying the flaw as high severity. While no EPSS score is available, the lack of mitigation such as timeout or whitelist expands the potential exploitation surface. The issue is not listed in CISA KEV, suggesting no publicly known exploits at the time of this analysis. The likely attack path requires administrative access to the Enterprise Admin role and the ability to trigger the sync_provider_data operation, indicating that privilege escalation within the internal role set is the main prerequisite.

Generated by OpenCVE AI on May 11, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open edx Enterprise to version 7.0.5 or later, where the issue is fixed.
  • Review and restrict Enterprise Admin privileges so that only trusted users can modify metadata_source URLs and invoke sync_provider_data.
  • If an upgrade cannot be performed immediately, enforce a whitelist of allowed metadata_source URLs and configure a short timeout on outgoing HTTP requests, though no official vendor workaround is available.

Generated by OpenCVE AI on May 11, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-64cv-vxpr-j6vc edx-enterprise has SSRF via SAML metadata URL in sync_provider_data endpoint
History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Openedx
Openedx edx-enterprise
Vendors & Products Openedx
Openedx edx-enterprise

Mon, 11 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the sync_provider_data endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadata_source. An authenticated user with the Enterprise Admin role can set this field to an arbitrary URL via the SAMLProviderConfigViewSet PATCH endpoint, then trigger a server-side HTTP request by calling sync_provider_data. The fetch in fetch_metadata_xml() passes the URL directly to requests.get() with no scheme enforcement, IP filtering, or timeout. This vulnerability is fixed in 7.0.5.
Title Open edx Enterprise Service: SSRF via SAML metadata URL in sync_provider_data endpoint
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Openedx Edx-enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T20:10:00.779Z

Reserved: 2026-04-30T16:44:48.379Z

Link: CVE-2026-42860

cve-icon Vulnrichment

Updated: 2026-05-11T20:08:06.273Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T18:16:36.547

Modified: 2026-05-12T16:50:08.553

Link: CVE-2026-42860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:45Z

Weaknesses