CVE-2026-31946
Published: 30 March 2026
Summary
CVE-2026-31946 is a critical-severity Improper Authentication (CWE-287) vulnerability in Frentix Openolat. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific flaw in OpenOlat's OpenID Connect implementation by patching to version 20.2.5, which adds JWT signature verification.
Mandates verification that authenticators like JWTs have not been altered or compromised, directly requiring cryptographic signature checks against the IdP's JWKS.
Requires controls to protect authentication using external identity providers and authorization servers, addressing improper OpenID Connect implicit flow token validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of the public OIDC endpoint (T1190) via forged JWT access tokens that bypass signature verification (T1550.001).
NVD Description
OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment…
more
of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.
Deeper analysisAI
CVE-2026-31946 affects OpenOlat, an open source web-based e-learning platform used for teaching, learning, assessment, and communication. The vulnerability resides in the OpenID Connect implicit flow implementation, where the JSONWebToken.parse() method silently discards the signature segment of compact JWTs (header.payload.signature). Additionally, the getAccessToken() methods in OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields such as issuer, audience, state, and nonce, without performing cryptographic signature verification against the Identity Provider's JWKS endpoint. This flaw impacts versions from 10.5.4 up to but not including 20.2.5, and carries a CVSS v3.1 base score of 9.8, linked to CWEs 287 (Improper Authentication) and 347 (Improper Verification of Cryptographic Signature).
Remote attackers require only network access to exploit this vulnerability, with low attack complexity, no privileges, no user interaction, and no scope change. By crafting a malicious JWT lacking a valid signature but with manipulated claims, an attacker can bypass authentication checks, obtain unauthorized access tokens, and potentially impersonate legitimate users. This enables high-impact compromise of confidentiality, integrity, and availability within the OpenOlat platform.
The GitHub security advisory at https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-v8vp-x4q4-2vch confirms the issue has been patched in OpenOlat version 20.2.5, recommending immediate upgrades for affected installations to restore proper JWT signature verification.
Details
- CWE(s)