CVE-2026-25885
Published: 09 February 2026
Summary
CVE-2026-25885 is a high-severity Improper Authorization (CWE-285) vulnerability in Polarlearn Polarlearn. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access.
Ensures authorization decisions are always performed by a complete and analyzable reference monitor.
Auditing session actions allows identification of improper authorization decisions and enforcement failures.
The process verifies authorization mechanisms function as intended before system approval.
By limiting enabled features to only those needed, the control strengthens authorization by removing opportunities for unauthorized use of excess functionality.
Dedicated authorization servers support policy-based decisions, mitigating improper authorization.
Protecting the shutoff from unauthorized activation enforces proper authorization for this critical operation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public WebSocket endpoint enables remote exploitation of public-facing app (T1190) for unauthorized persistent injection into stored chat data (T1565.001).
NVD Description
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated client can subscribe to any group chat by providing a group UUID, and can…
more
also send messages to any group. The server accepts the message and stores it in the group’s chatContent, so this is not just a visual spam issue.
Deeper analysisAI
CVE-2026-25885 affects PolarLearn, a free and open-source learning program, specifically versions 0-PRERELEASE-16 and earlier. The vulnerability resides in the group chat WebSocket endpoint at wss://polarlearn.nl/api/v1/ws, which permits use without authentication. An unauthenticated client can subscribe to any group chat by supplying a group UUID and send messages to any group. The server accepts these messages and persists them in the group's chatContent field, making it more than a transient spam issue. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-285 (Improper Authorization) and CWE-306 (Missing Authentication for Critical Function).
Unauthenticated attackers can exploit this remotely with low complexity and no privileges or user interaction required. By connecting to the WebSocket, providing a target group UUID, and sending arbitrary messages, they achieve high integrity impact through persistent message injection into any group's chat history. This enables spam, misinformation dissemination, or disruption of group communications across the platform.
Mitigation details are available in the GitHub security advisory at https://github.com/polarnl/PolarLearn/security/advisories/GHSA-gvjm-5pw7-6c8c and the patching commit at https://github.com/polarnl/PolarLearn/commit/3ba588fda0d3f8e238483a20772719f27e52e79f. Security practitioners should review these for upgrade instructions or authentication enforcement on the WebSocket endpoint.
Details
- CWE(s)