CVE-2026-35610
Published: 07 April 2026
Summary
CVE-2026-35610 is a high-severity Improper Authorization (CWE-285) vulnerability in Polarlearn Polarlearn. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to system resources, directly preventing the inverted admin check from allowing non-admin users to execute privileged functions like setCustomPassword and deleteUser.
Implements access control decisions that correctly authorize actions based on user roles, countering the logic error in authorization checks for admin-only operations.
Enforces least privilege principle to restrict non-admin users from performing high-impact actions such as account password changes or deletions, mitigating privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a privilege escalation vulnerability due to inverted admin checks allowing non-admin users to change passwords and delete any user accounts, directly enabling T1068 for privilege escalation, T1098 for account manipulation via password changes, and T1531 for account access removal via deletions.
NVD Description
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassword(userId, password) and deleteUser(userId) in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute both actions, while…
more
real admins were rejected. This is a direct privilege-escalation issue in the application.
Deeper analysisAI
CVE-2026-35610 is a privilege escalation vulnerability in PolarLearn, a free and open-source learning program, affecting versions 0-PRERELEASE-14 and earlier. The issue stems from an inverted admin check in the account-management module's setCustomPassword(userId, password) and deleteUser(userId) functions. Due to this logic error, authenticated non-admin users can execute these actions, while legitimate administrators are rejected, mapping to CWE-285 (Improper Authorization). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility and significant impacts on confidentiality, integrity, and availability.
Any authenticated user with low privileges can exploit this vulnerability remotely with low attack complexity and no user interaction. By invoking the affected functions with arbitrary userId values, the attacker can set custom passwords for any user account or permanently delete any user account, enabling full account takeover or denial of service against other users.
Mitigation guidance is available in the PolarLearn security advisory at https://github.com/polarnl/PolarLearn/security/advisories/GHSA-8hww-w7cc-77rj, published on 2026-04-07.
Details
- CWE(s)