CRITICAL🇵🇱 Wersja polska

CVE-2026-31946

CVSS 9.8v3.1pub. 2026-03-30upd. 2026-04-02

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.

🤖 AI Analysis
How it works

The JSONWebToken.parse() method silently discards the JWT token signature segment (header.payload.signature), thereby ignoring its cryptographic integrity. The getAccessToken() methods in OpenIdConnectApi and OpenIdConnectFullConfigurableApi classes verify only fields at the claims level (issuer, audience, state, nonce), but do not perform any signature verification against the identity provider's public key (JWKS endpoint). As a result, an attacker can craft or modify a JWT token with arbitrary claims — for example, impersonating another user or administrator — and it will be accepted by the system without any cryptographic verification.

Impact

An attacker without any privileges and without user interaction can gain full unauthorized access to other users' accounts, including administrators, leading to violation of confidentiality, integrity, and availability of data stored on the platform.

Mitigation & patch

OpenOLAT should be updated to version 20.2.5 or later, where the issue has been fixed. If immediate update is not possible, consider disabling or restricting access to OpenID Connect login functionality until the patch is deployed.

Who is affected

OpenOLAT in versions from 10.5.4 to before 20.2.5 (configurations using OpenID Connect implicit flow)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Frentix Openolat

    APP
    Frentix
    10.5.4 – 20.2.5 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-28228HIGH8.8ten sam produkt

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication....

CVE-2021-41242HIGH8.1ten sam produkt

OpenOlat is a web-basedlearning management system. A path traversal vulnerability exists in OpenOlat prior to ...

CVE-2021-41152HIGH7.7ten sam produkt

OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a le...

CVE-2021-39181HIGH8.8ten sam produkt

OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using ...

CVE-2021-39180HIGH8.1ten sam produkt

OpenOLAT is a web-based learning management system (LMS). A path traversal vulnerability exists in versions pr...