Description

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.

INFO

Published Date :

2026-03-30T20:31:14.919Z

Last Modified :

2026-03-31T14:08:07.327Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-31946 vulnerability.

Vendors Products
Openolat
  • Openolat
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31946.

URL Resource
https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-v8vp-x4q4-2vch cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact