Description
The SCORM lab launch endpoint in Skillable (scorm.skillable.com) through 2026-07-13 does not validate the client-supplied userId parameter against the authenticated SCORM session token. An authenticated user can substitute arbitrary userId values to bypass per-user lab launch rate limits and consume other users' lab allocations, resulting in denial of service against targeted users' lab and exam access. Skillable was formerly named Learn on Demand Systems.
Published: 2026-07-13
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the SCORM lab launch endpoint where the client‑supplied userId is not checked against the authenticated SCORM session token. An attacker who is already authenticated can supply arbitrary userIds, thereby consuming lab allocations belonging to other users and bypassing the intended per‑user launch rate limits. This misuse can exhaust a victim’s available lab or exam slots, causing a denial of service for those targeted users.

Affected Systems

Skillable’s SCORM Lab Launch Integration, accessed through scorm.skillable.com, is vulnerable in all versions up to 2026-07-13. The issue pertains specifically to the lab launch endpoint that accepts a userId parameter.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, reflecting the potential to disrupt service for affected users. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting no public exploits have been reported. The attack vector is likely limited to authenticated users with access to the SCORM session token, but once authenticated the bypass can be repeatedly exploited, impacting load and resource allocation for other users.

Generated by OpenCVE AI on July 14, 2026 at 12:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Skillable to a version released after 2026-07-13 where the userId validation is corrected
  • If an update is not immediately feasible, implement server‑side checks to ensure the userId supplied in the launch request matches the authenticated session’s userId and reject mismatches
  • Limit and monitor lab launch requests per user; enforce rate limits programmatically and log any deviations to detect abuse

Generated by OpenCVE AI on July 14, 2026 at 12:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
Title Skillable SCORM Lab Launch Rate Limit Bypass via Unvalidated userId Parameter

Mon, 13 Jul 2026 22:15:00 +0000

Type Values Removed Values Added
Description The SCORM lab launch endpoint in Skillable (scorm.skillable.com) through 2026-07-13 does not validate the client-supplied userId parameter against the authenticated SCORM session token. An authenticated user can substitute arbitrary userId values to bypass per-user lab launch rate limits and consume other users' lab allocations, resulting in denial of service against targeted users' lab and exam access. Skillable was formerly named Learn on Demand Systems.
Weaknesses CWE-472
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-14T12:46:32.749Z

Reserved: 2026-06-23T15:43:45.665Z

Link: CVE-2026-56877

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T13:00:04Z

Weaknesses
  • CWE-472

    External Control of Assumed-Immutable Web Parameter