PT-2026-30983 · Unknown · Polarlearn
Jvr2022
·
Published
2026-04-07
·
Updated
2026-04-07
·
CVE-2026-39322
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
PolarLearn versions 0-PRERELEASE-15 and earlier
Description
The software creates a valid session for banned accounts before verifying the supplied password via the
/api/v1/auth/sign-in API endpoint. This session is then accepted across authenticated API routes, allowing access to account data and authenticated actions as the banned user. The vulnerable parameter is the password.Recommendations
Update to a version later than 0-PRERELEASE-15.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Polarlearn