Description
OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in 2.0.4.
Published: 2026-05-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenLearnX has a critical authentication vulnerability that disables JWT signature verification, allowing attackers to craft forged tokens and impersonate users. According to the relevant CWEs, this issue represents a flaw in Authentication Management (CWE-287) and a flaw in improper cryptographic validation (CWE-347). This flaw can result in unauthorized account takeover and full access to the platform’s data and functionality. The lack of signature validation breaks the fundamental security assumption that tokens are trustworthy, enabling complete compromise of user accounts.

Affected Systems

The vulnerability affects all installations of OpenLearnX prior to version 2.0.4. Versions 2.0.4 and later contain a fix that re‑enables proper JWT verification. No other products or vendors are listed as impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates a high severity level. No EPSS score is available, so the probability of exploitation at this time is unknown. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it via crafted JWTs submitted to the authentication endpoint; no additional authentication is required. The flaw can be leveraged from any network location that can reach the affected instance.

Generated by OpenCVE AI on May 27, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenLearnX to version 2.0.4 or later.
  • Verify that JWT signature verification is enabled and cannot be bypassed.
  • Monitor authentication logs for suspicious token usage.

Generated by OpenCVE AI on May 27, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-223g-f5mq-gw33 OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover
History

Thu, 28 May 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Th30d4y
Th30d4y openlearnx
Vendors & Products Th30d4y
Th30d4y openlearnx

Wed, 27 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in 2.0.4.
Title OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover
Weaknesses CWE-287
CWE-347
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Th30d4y Openlearnx
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T21:02:29.706Z

Reserved: 2026-05-07T18:04:17.308Z

Link: CVE-2026-44720

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T22:16:36.680

Modified: 2026-05-27T22:16:36.680

Link: CVE-2026-44720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:00:05Z

Weaknesses