Improper Verification of Cryptographic Signature in OpenOlat - CVE-2026-31946
Published: April 27, 2026
Vulnerability identifier: #VU128164
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-31946
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenOlat
Affected software:
OpenOlat
OpenOlat
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication and obtain an authenticated session as any user.
The vulnerability exists due to improper verification of cryptographic signature in the OIDC implicit flow implementation when handling JWTs returned to the /oauthcallback endpoint. A remote attacker can construct and submit a forged JWT with an arbitrary sub claim to bypass authentication and obtain an authenticated session as any user.
Only installations with OIDC implicit flow enabled are vulnerable. The issue does not affect installations that do not use OAuth or that use only the authorization code flow.
How to mitigate CVE-2026-31946
Install security update from vendor's website.