CVE-2026-41243
MEDIUMOpenLearn's pending forum posts remain publicly readable by direct ID when moderation mode is enabled
Title source: cnaDescription
OpenLearn is open-source educational forum software. Prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab, when `safeMode` is enabled, unapproved forum posts are hidden from the public list, but the direct post-read procedure still returns the full post to anyone with the post UUID. Commit 844b2a40a69d0c4911580fe501923f0b391313ab fixes the issue.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/siemvk/OpenLearn/security/advisories/GHSA-4rv3-hfh6-vqvm
X_Refsource_Misc x_refsource_misc
https://github.com/siemvk/OpenLearn/commit/844b2a40a69d0c4911580fe501923f0b391313ab
Scores
CVSS v3
5.4
EPSS
0.0018
EPSS Percentile
7.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (2)
siemvk/openlearn
< 2026-04-14
siemvk/OpenLearn
< 844b2a40a69d0c4911580fe501923f0b391313ab
Published
Apr 23, 2026
Tracked Since
Apr 23, 2026