PYSEC-2026-58

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/edx-enterprise/PYSEC-2026-58.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-58

Aliases

CVE-2026-42860
GHSA-64cv-vxpr-j6vc

Published

2026-05-11T18:16:36.547Z

Modified

2026-05-20T09:18:59.782659Z

Severity

8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator

Summary

[none]

Details

The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the syncproviderdata endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadatasource. An authenticated user with the Enterprise Admin role can set this field to an arbitrary URL via the SAMLProviderConfigViewSet PATCH endpoint, then trigger a server-side HTTP request by calling syncproviderdata. The fetch in fetchmetadata_xml() passes the URL directly to requests.get() with no scheme enforcement, IP filtering, or timeout. This vulnerability is fixed in 7.0.5.

References

https://github.com/openedx/edx-enterprise/security/advisories/GHSA-64cv-vxpr-j6vc

Affected packages

PyPI / edx-enterprise

Package

Name: edx-enterprise; View open source insights on deps.dev
Purl: pkg:pypi/edx-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.2

Fixed

7.0.5

Affected versions

7.*

7.0.2

7.0.3

7.0.4

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/edx-enterprise/PYSEC-2026-58.yaml"