CVE-2026-31946

EPSS 0.03%
Veröffentlicht 30.03.2026 20:31:14
Zuletzt bearbeitet 02.04.2026 16:49:44
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Frentix ≫ Openolat Version >= 10.5.4 < 20.2.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.07

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-v8vp-x4q4-2vch

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-31946

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31946

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31946

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-31946