Cyber Resilience

CVE-2026-25885

CriticalPublic PoC

Published: 09 February 2026

Published
09 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25885 is a critical-severity Improper Authorization (CWE-285) vulnerability in Polarlearn Polarlearn. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-25885 affects PolarLearn, a free and open-source learning program, specifically versions 0-PRERELEASE-16 and earlier. The vulnerability resides in the group chat WebSocket endpoint at wss://polarlearn.nl/api/v1/ws, which permits use without authentication. An unauthenticated client can subscribe to any group chat by supplying a group UUID and send messages to any group. The server accepts these messages and persists them in the group's chatContent field, making it more than a transient spam issue. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-285 (Improper Authorization) and CWE-306 (Missing Authentication for Critical Function).

Unauthenticated attackers can exploit this remotely with low complexity and no privileges or user interaction required. By connecting to the WebSocket, providing a target group UUID, and sending arbitrary messages, they achieve high integrity impact through persistent message injection into any group's chat history. This enables spam, misinformation dissemination, or disruption of group communications across the platform.

Mitigation details are available in the GitHub security advisory at https://github.com/polarnl/PolarLearn/security/advisories/GHSA-gvjm-5pw7-6c8c and the patching commit at https://github.com/polarnl/PolarLearn/commit/3ba588fda0d3f8e238483a20772719f27e52e79f. Security practitioners should review these for upgrade instructions or authentication enforcement on the WebSocket endpoint.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated client can subscribe to any group chat by providing a group UUID, and can…

more

also send messages to any group. The server accepts the message and stores it in the group’s chatContent, so this is not just a visual spam issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Vuln in public WebSocket endpoint enables remote exploitation of public-facing app (T1190) for unauthorized persistent injection into stored chat data (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25126Same product: Polarlearn Polarlearn
CVE-2026-39322Same product: Polarlearn Polarlearn
CVE-2026-25221Same product: Polarlearn Polarlearn
CVE-2026-35610Same product: Polarlearn Polarlearn
CVE-2026-25222Same product: Polarlearn Polarlearn
CVE-2026-24890Shared CWE-285
CVE-2026-40248Shared CWE-285
CVE-2025-65021Shared CWE-285
CVE-2025-8861Shared CWE-306
CVE-2025-61956Shared CWE-306

Affected Assets

polarlearn
polarlearn
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates restriction of specific actions like WebSocket group chat subscription and message sending without identification and authentication, countering the core vulnerability.

prevent

Enforces approved authorizations to block unauthenticated access and persistent message injection into group chats via the WebSocket endpoint.

prevent

Requires identification and authentication for non-organizational users accessing public services like the group chat WebSocket, preventing unauthorized participation.

References