CVE-2026-25221
Published: 02 February 2026
Summary
CVE-2026-25221 is a high-severity CSRF (CWE-352) vulnerability in Polarlearn Polarlearn. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 mandates protections for communications session authenticity, directly addressing the missing OAuth state parameter verification that enables Login CSRF attacks.
SI-10 requires validation of critical information inputs like the OAuth state parameter, preventing forged authentication requests in the login flow.
IA-8 ensures unique identification and authentication for non-organizational users via external providers like GitHub and Google, mitigating flaws in the OAuth implementation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF flaw in OAuth state-parameter handling of an internet-facing web application directly enables attackers to exploit the public-facing login flow for forced account association and subsequent data disclosure.
NVD Description
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, the OAuth 2.0 implementation for GitHub and Google login providers is vulnerable to Login Cross-Site Request Forgery (CSRF). The application fails to implement and verify the state parameter…
more
during the authentication flow. This allows an attacker to pre-authenticate a session and trick a victim into logging into the attacker's account. Any data the victim then enters or academic progress they make is stored on the attacker's account, leading to data loss for the victim and information disclosure to the attacker.
Deeper analysisAI
CVE-2026-25221 is a Login Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the OAuth 2.0 implementation for GitHub and Google login providers in PolarLearn, a free and open-source learning program. Versions 0-PRERELEASE-15 and earlier fail to implement and verify the state parameter during the authentication flow. The issue has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with network accessibility, low attack complexity, no privileges required, and user interaction needed.
An attacker can exploit this vulnerability without privileges by pre-authenticating a session and tricking a victim user into completing the login flow, causing the victim to inadvertently log into the attacker's account. Once logged in as the attacker, any data the victim enters or academic progress they make is stored on the attacker's account, resulting in data loss for the victim and information disclosure to the attacker.
Mitigation is addressed in the PolarLearn GitHub security advisory GHSA-fhhm-574m-7rpw and via a patch in commit 44669bbb5b647c7625f22dd82f3121c7d7bfbe19. Security practitioners should update to a version incorporating this fix and review OAuth implementations for proper state parameter handling.
Details
- CWE(s)