CVE-2026-25885
Published: 09 February 2026
Summary
CVE-2026-25885 is a critical-severity Improper Authorization (CWE-285) vulnerability in Polarlearn Polarlearn. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-25885 affects PolarLearn, a free and open-source learning program, specifically versions 0-PRERELEASE-16 and earlier. The vulnerability resides in the group chat WebSocket endpoint at wss://polarlearn.nl/api/v1/ws, which permits use without authentication. An unauthenticated client can subscribe to any group chat by supplying a group UUID and send messages to any group. The server accepts these messages and persists them in the group's chatContent field, making it more than a transient spam issue. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-285 (Improper Authorization) and CWE-306 (Missing Authentication for Critical Function).
Unauthenticated attackers can exploit this remotely with low complexity and no privileges or user interaction required. By connecting to the WebSocket, providing a target group UUID, and sending arbitrary messages, they achieve high integrity impact through persistent message injection into any group's chat history. This enables spam, misinformation dissemination, or disruption of group communications across the platform.
Mitigation details are available in the GitHub security advisory at https://github.com/polarnl/PolarLearn/security/advisories/GHSA-gvjm-5pw7-6c8c and the patching commit at https://github.com/polarnl/PolarLearn/commit/3ba588fda0d3f8e238483a20772719f27e52e79f. Security practitioners should review these for upgrade instructions or authentication enforcement on the WebSocket endpoint.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6867
Vulnerability details
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated client can subscribe to any group chat by providing a group UUID, and can…
more
also send messages to any group. The server accepts the message and stores it in the group’s chatContent, so this is not just a visual spam issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public WebSocket endpoint enables remote exploitation of public-facing app (T1190) for unauthorized persistent injection into stored chat data (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates restriction of specific actions like WebSocket group chat subscription and message sending without identification and authentication, countering the core vulnerability.
Enforces approved authorizations to block unauthenticated access and persistent message injection into group chats via the WebSocket endpoint.
Requires identification and authentication for non-organizational users accessing public services like the group chat WebSocket, preventing unauthorized participation.