← Retour aux CVEs
CVE-2026-34736
MEDIUM5.3
Description
Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exposed in the REST API response at /api/user/v1/accounts/. This issue has been patched in the ulmo release.
Details CVE
Score CVSS v3.15.3
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie4/2/2026
Derniere modification4/3/2026
Sourcenvd
Observations honeypot0
Faiblesses (CWE)
CWE-287
References
https://github.com/openedx/openedx-platform/commit/ad342ae16e6af0b46460ca05f47697ac755feba8(security-advisories@github.com)
https://github.com/openedx/openedx-platform/security/advisories/GHSA-m6rg-rp98-4crw(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.