CVE-2026-42860

Name of the Vulnerable Software and Affected Versions Open edx Enterprise Service versions 7.0.2 through 7.0.4

Description An authenticated user with the Enterprise Admin role can trigger a server-side HTTP request. By using the 'SAMLProviderConfigViewSet' PATCH endpoint, a user can set the metadata source variable in SAMLProviderConfig to an arbitrary URL. Subsequently, calling the 'sync provider data' endpoint in 'SAMLProviderDataViewSet' triggers the fetch metadata xml() function, which passes the URL to requests.get() without scheme enforcement, IP filtering, or timeouts. This allows for Server-Side Request Forgery (SSRF), which could be used to steal cloud credentials from instance metadata services, scan internal networks, or access internal APIs.

Recommendations Update Open edx Enterprise Service to version 7.0.5. As a temporary workaround, restrict network-level egress filtering to block outbound connections from the server to 169.254.0.0/16 and RFC 1918 private IP ranges.