CVE-2026-31946
CRITICALOpenOLAT: Authentication bypass via forged JWT in OIDC implicit flow
Title source: cnaDescription
OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-v8vp-x4q4-2vch
Scores
CVSS v3
9.8
EPSS
0.0021
EPSS Percentile
10.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-287
CWE-347
Status
published
Products (2)
frentix/openolat
10.5.4 - 20.2.5
OpenOLAT/OpenOLAT
>= 10.5.4, < 20.2.5
Published
Mar 30, 2026
Tracked Since
Mar 31, 2026