CVE-2026-34736

MEDIUM

Open edX Platform: Account Activation Bypass via activation_key Exposure in REST API

Title source: cna

Description

Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exposed in the REST API response at /api/user/v1/accounts/. This issue has been patched in the ulmo release.

References (2)

[X_Refsource_Confirm] https://github.com/openedx/openedx-platform/security/advisories/GHSA-m6rg-rp98-4crw

[X_Refsource_Misc] https://github.com/openedx/openedx-platform/commit/ad342ae16e6af0b46460ca05f47697ac755feba8

View Writeup ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0006

EPSS Percentile 19.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (1)

openedx/openedx-platform >= maple, < ulmo

Published Apr 02, 2026

Tracked Since Apr 03, 2026