The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the sync_provider_data endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadata_source. An authenticated user with the Enterprise Admin role can set this field to an arbitrary URL via the SAMLProviderConfigViewSet PATCH endpoint, then trigger a server-side HTTP request by calling sync_provider_data. The fetch in fetch_metadata_xml() passes the URL directly to requests.get() with no scheme enforcement, IP filtering, or timeout. This vulnerability is fixed in 7.0.5.
References
| Link | Resource |
|---|---|
| https://github.com/openedx/edx-enterprise/security/advisories/GHSA-64cv-vxpr-j6vc | Exploit Vendor Advisory |
| https://github.com/openedx/edx-enterprise/security/advisories/GHSA-64cv-vxpr-j6vc | Exploit Vendor Advisory |
Configurations
History
13 May 2026, 14:50
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/openedx/edx-enterprise/security/advisories/GHSA-64cv-vxpr-j6vc - Exploit, Vendor Advisory | |
| First Time |
Openedx edx-enterprise
Openedx |
|
| CPE | cpe:2.3:a:openedx:edx-enterprise:*:*:*:*:*:*:*:* |
11 May 2026, 21:19
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/openedx/edx-enterprise/security/advisories/GHSA-64cv-vxpr-j6vc - |
11 May 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-11 18:16
Updated : 2026-05-13 14:50
NVD link : CVE-2026-42860
Mitre link : CVE-2026-42860
CVE.ORG link : CVE-2026-42860
JSON object : View
Products Affected
openedx
- edx-enterprise
CWE
CWE-918
Server-Side Request Forgery (SSRF)