CVE-2026-39322

PolarLearn: Any password authenticates banned accounts and grants API access

Description

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authenticated /api routes, enabling account data access and authenticated actions as the banned user.

INFO

Published Date :

2026-04-07T19:03:28.999Z

Last Modified :

2026-04-09T16:16:51.970Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-39322 vulnerability.

Vendors	Products
Polarlearn	Polarlearn
Polarnl	Polarlearn

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39322.

URL	Resource
https://github.com/polarnl/PolarLearn/security/advisories/GHSA-9vx4-7ww7-4cf5

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact