CVE-2026-31946

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-31946

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31946.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-31946

Aliases

GHSA-v8vp-x4q4-2vch

Published

2026-03-30T20:31:14.919Z

Modified

2026-04-10T05:42:55.425633Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

OpenOLAT: Authentication bypass via forged JWT in OIDC implicit flow

Details

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.

Database specific

{
    "cwe_ids": [
        "CWE-287",
        "CWE-347"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31946.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/openolat/openolat

Affected ranges

Type

GIT

Repo

https://github.com/openolat/openolat

Events

Introduced

7b0401c10e9a771cc5a86e06d74aa79275f2f024

Fixed

8fda406ecd0c721c5aa2b5b059b9752f7a7b32ce

Database specific

{
    "versions": [
        {
            "introduced": "10.5.4"
        },
        {
            "fixed": "20.2.5"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31946.json"