Cyber Resilience

CVE-2026-39322

Critical

Published: 07 April 2026

Published
07 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-39322 is a critical-severity Improper Authentication (CWE-287) vulnerability in Polarlearn Polarlearn. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-39322 is a high-severity authentication vulnerability (CVSS 3.1 score of 8.8, vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting PolarLearn, a free and open-source learning program, in versions 0-PRERELEASE-15 and earlier. The issue, tied to CWE-287 (Improper Authentication), occurs in the POST /api/v1/auth/sign-in endpoint, where a valid session is created for banned accounts before the supplied password is verified. This session is subsequently accepted across other authenticated /api routes.

An attacker with low privileges can exploit this over the network with low complexity and no user interaction by submitting a sign-in request using the username of a banned account paired with any password. The resulting session grants unauthorized access to the banned user's account data and enables performance of authenticated actions on their behalf, achieving high impacts on confidentiality, integrity, and availability.

The GitHub security advisory at https://github.com/polarnl/PolarLearn/security/advisories/GHSA-9vx4-7ww7-4cf5 provides further details on the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authenticated /api routes, enabling account data access and…

more

authenticated actions as the banned user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in public-facing /api/v1/auth/sign-in endpoint directly enables T1190: Exploit Public-Facing Application for unauthorized session creation and access to banned accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25221Same product: Polarlearn Polarlearn
CVE-2026-25885Same product: Polarlearn Polarlearn
CVE-2026-25126Same product: Polarlearn Polarlearn
CVE-2026-35610Same product: Polarlearn Polarlearn
CVE-2026-25222Same product: Polarlearn Polarlearn
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287

Affected Assets

polarlearn
polarlearn
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-2 mandates identification and authentication mechanisms that verify user credentials and account status prior to granting access or sessions, directly preventing premature session creation for banned accounts without password validation.

prevent

AC-2 requires effective account management, including disabling banned accounts to block authentication attempts and session issuance regardless of supplied credentials.

prevent

AC-3 enforces approved access authorizations in accordance with access control policies, ensuring API routes reject sessions not backed by successful authentication including password verification.

References