Cyber Resilience

CVE-2026-25221

LowPublic PoC

Published: 02 February 2026

Published
02 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0020 10.2th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-25221 is a low-severity CSRF (CWE-352) vulnerability in Polarlearn Polarlearn. Its CVSS base score is 2.3 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25221 is a Login Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the OAuth 2.0 implementation for GitHub and Google login providers in PolarLearn, a free and open-source learning program. Versions 0-PRERELEASE-15 and earlier fail to implement and verify the state parameter during the authentication flow. The issue has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with network accessibility, low attack complexity, no privileges required, and user interaction needed.

An attacker can exploit this vulnerability without privileges by pre-authenticating a session and tricking a victim user into completing the login flow, causing the victim to inadvertently log into the attacker's account. Once logged in as the attacker, any data the victim enters or academic progress they make is stored on the attacker's account, resulting in data loss for the victim and information disclosure to the attacker.

Mitigation is addressed in the PolarLearn GitHub security advisory GHSA-fhhm-574m-7rpw and via a patch in commit 44669bbb5b647c7625f22dd82f3121c7d7bfbe19. Security practitioners should update to a version incorporating this fix and review OAuth implementations for proper state parameter handling.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, the OAuth 2.0 implementation for GitHub and Google login providers is vulnerable to Login Cross-Site Request Forgery (CSRF). The application fails to implement and verify the state parameter…

more

during the authentication flow. This allows an attacker to pre-authenticate a session and trick a victim into logging into the attacker's account. Any data the victim then enters or academic progress they make is stored on the attacker's account, leading to data loss for the victim and information disclosure to the attacker.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF flaw in OAuth state-parameter handling of an internet-facing web application directly enables attackers to exploit the public-facing login flow for forced account association and subsequent data disclosure.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39322Same product: Polarlearn Polarlearn
CVE-2026-25885Same product: Polarlearn Polarlearn
CVE-2026-25126Same product: Polarlearn Polarlearn
CVE-2026-35610Same product: Polarlearn Polarlearn
CVE-2026-25222Same product: Polarlearn Polarlearn
CVE-2025-23467Shared CWE-352
CVE-2018-25170Shared CWE-352
CVE-2025-22336Shared CWE-352
CVE-2025-23821Shared CWE-352
CVE-2025-22582Shared CWE-352

Affected Assets

polarlearn
polarlearn
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 mandates protections for communications session authenticity, directly addressing the missing OAuth state parameter verification that enables Login CSRF attacks.

prevent

SI-10 requires validation of critical information inputs like the OAuth state parameter, preventing forged authentication requests in the login flow.

prevent

IA-8 ensures unique identification and authentication for non-organizational users via external providers like GitHub and Google, mitigating flaws in the OAuth implementation.

References