CVE-2026-31946

{"id": "CVE-2026-31946", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-03-30T21:17:09.440", "references": [{"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-v8vp-x4q4-2vch", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5."}, {"lang": "es", "value": "OpenOlat es una plataforma de e-learning de c\u00f3digo abierto basada en la web para la ense\u00f1anza, el aprendizaje, la evaluaci\u00f3n y la comunicaci\u00f3n. Desde la versi\u00f3n 10.5.4 hasta antes de la versi\u00f3n 20.2.5, la implementaci\u00f3n del flujo impl\u00edcito de OpenID Connect de OpenOLAT no verifica las firmas JWT. El m\u00e9todo JSONWebToken.parse() descarta silenciosamente el segmento de la firma del JWT compacto (encabezado.carga \u00fatil.firma), y los m\u00e9todos getAccessToken() tanto en OpenIdConnectApi como en OpenIdConnectFullConfigurableApi solo validan campos a nivel de declaraci\u00f3n (emisor, audiencia, estado, nonce) sin ninguna verificaci\u00f3n criptogr\u00e1fica de la firma contra el endpoint JWKS del Proveedor de Identidad. Este problema ha sido parcheado en la versi\u00f3n 20.2.5."}], "lastModified": "2026-04-02T16:49:44.503", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frentix:openolat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "92EBC184-1E84-4766-8671-2DB919EEDF37", "versionEndExcluding": "20.2.5", "versionStartIncluding": "10.5.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}