CVE-2026-39322

High

Published: 07 April 2026

Published

07 April 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 17.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39322 is a high-severity Improper Authentication (CWE-287) vulnerability in Polarlearn Polarlearn. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-2 Identification and Authentication (Organizational Users) good match

prevent

IA-2 mandates identification and authentication mechanisms that verify user credentials and account status prior to granting access or sessions, directly preventing premature session creation for banned accounts without password validation.

AC-2 Account Management good match

prevent

AC-2 requires effective account management, including disabling banned accounts to block authentication attempts and session issuance regardless of supplied credentials.

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved access authorizations in accordance with access control policies, ensuring API routes reject sessions not backed by successful authentication including password verification.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Authentication bypass in public-facing /api/v1/auth/sign-in endpoint directly enables T1190: Exploit Public-Facing Application for unauthorized session creation and access to banned accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authenticated /api routes, enabling account data access and…

authenticated actions as the banned user.

Deeper analysisAI

CVE-2026-39322 is a high-severity authentication vulnerability (CVSS 3.1 score of 8.8, vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting PolarLearn, a free and open-source learning program, in versions 0-PRERELEASE-15 and earlier. The issue, tied to CWE-287 (Improper Authentication), occurs in the POST /api/v1/auth/sign-in endpoint, where a valid session is created for banned accounts before the supplied password is verified. This session is subsequently accepted across other authenticated /api routes.

An attacker with low privileges can exploit this over the network with low complexity and no user interaction by submitting a sign-in request using the username of a banned account paired with any password. The resulting session grants unauthorized access to the banned user's account data and enables performance of authenticated actions on their behalf, achieving high impacts on confidentiality, integrity, and availability.

The GitHub security advisory at https://github.com/polarnl/PolarLearn/security/advisories/GHSA-9vx4-7ww7-4cf5 provides further details on the vulnerability.