CVE-2026-25221

N/A Unknown
Authentication Bypass CSRF

📋 TL;DR

PolarLearn's OAuth 2.0 implementation for GitHub and Google login is vulnerable to Login CSRF due to missing state parameter validation. This allows attackers to trick victims into logging into attacker-controlled accounts, causing victim data loss and attacker information disclosure. All users of affected versions are impacted.

💻 Affected Systems

Products:
  • PolarLearn
Versions: 0-PRERELEASE-15 and earlier
Operating Systems: all
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with GitHub or Google OAuth login enabled.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Victim's academic progress and personal data are permanently lost to attacker's account, while attacker gains unauthorized access to victim's educational information and activities.

🟠

Likely Case

Victim unknowingly logs into attacker's account, losing recent academic work and potentially exposing sensitive educational data to the attacker.

🟢

If Mitigated

With proper state parameter implementation, OAuth flows are secure and users only authenticate to their own accounts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires victim to click malicious link while logged into PolarLearn, but no authentication needed to initiate attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 44669bbb5b647c7625f22dd82f3121c7d7bfbe19

Vendor Advisory: https://github.com/polarnl/PolarLearn/security/advisories/GHSA-fhhm-574m-7rpw

Restart Required: Yes

Instructions:

1. Update to latest PolarLearn version
2. Verify commit 44669bbb5b647c7625f22dd82f3121c7d7bfbe19 is included
3. Restart PolarLearn service

🔧 Temporary Workarounds

Disable OAuth Login

all

Temporarily disable GitHub and Google OAuth login providers

Modify PolarLearn configuration to disable OAuth providers

🧯 If You Can't Patch

  • Implement web application firewall rules to detect OAuth state parameter anomalies
  • Educate users to verify they are logged into correct account before entering sensitive data

🔍 How to Verify

Check if Vulnerable:

Check if PolarLearn version is 0-PRERELEASE-15 or earlier and OAuth login is enabled

Check Version:

Check PolarLearn version in admin interface or configuration files

Verify Fix Applied:

Verify state parameter is generated and validated during OAuth flows

📡 Detection & Monitoring

Log Indicators:

  • Multiple OAuth authentication attempts from same user with different accounts
  • OAuth requests missing state parameter

Network Indicators:

  • Unusual OAuth callback patterns
  • Multiple authentication requests to different providers from same IP

SIEM Query:

source="polarlern" AND (oauth_state="missing" OR oauth_provider="github" OR oauth_provider="google")

📊 Metadata

CVE ID: CVE-2026-25221
CVSS v3 Score: N/A (Unknown)
CWE: CWE-352
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This