CVE-2026-31946

Name of the Vulnerable Software and Affected Versions OpenOlat versions 10.5.4 through 20.2.4

Description OpenOlat is a web-based e-learning platform. The OpenID Connect implicit flow implementation does not verify JSON Web Token (JWT) signatures. The JSONWebToken.parse() method discards the signature segment of the JWT, and the getAccessToken() methods in OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields without cryptographic signature verification against the Identity Provider's JWKS endpoint. This allows an attacker to craft any token and claim any identity, potentially gaining control of the entire e-learning platform.

Recommendations Update OpenOlat to version 20.2.5.