{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34736", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.754Z", "datePublished": "2026-04-02T18:29:01.740Z", "dateUpdated": "2026-04-03T16:08:43.532Z"}, "containers": {"cna": {"title": "Open edX Platform: Account Activation Bypass via activation_key Exposure in REST API", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openedx/openedx-platform/security/advisories/GHSA-m6rg-rp98-4crw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openedx/openedx-platform/security/advisories/GHSA-m6rg-rp98-4crw"}, {"name": "https://github.com/openedx/openedx-platform/commit/ad342ae16e6af0b46460ca05f47697ac755feba8", "tags": ["x_refsource_MISC"], "url": "https://github.com/openedx/openedx-platform/commit/ad342ae16e6af0b46460ca05f47697ac755feba8"}], "affected": [{"vendor": "openedx", "product": "openedx-platform", "versions": [{"version": ">= maple, < ulmo", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:29:01.740Z"}, "descriptions": [{"lang": "en", "value": "Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exposed in the REST API response at /api/user/v1/accounts/. This issue has been patched in the ulmo release."}], "source": {"advisory": "GHSA-m6rg-rp98-4crw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T15:48:43.267069Z", "id": "CVE-2026-34736", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:08:43.532Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Open edX Platform: Account Activation Bypass via activation_key Exposure in REST API", "source": {"advisory": "GHSA-m6rg-rp98-4crw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "openedx", "product": "openedx-platform", "versions": [{"status": "affected", "version": ">= maple, < ulmo"}]}], "references": [{"url": "https://github.com/openedx/openedx-platform/security/advisories/GHSA-m6rg-rp98-4crw", "name": "https://github.com/openedx/openedx-platform/security/advisories/GHSA-m6rg-rp98-4crw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openedx/openedx-platform/commit/ad342ae16e6af0b46460ca05f47697ac755feba8", "name": "https://github.com/openedx/openedx-platform/commit/ad342ae16e6af0b46460ca05f47697ac755feba8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exposed in the REST API response at /api/user/v1/accounts/. This issue has been patched in the ulmo release."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:29:01.740Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34736", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T15:48:43.267069Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-03T16:08:40.333Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-34736", "state": "PUBLISHED", "dateUpdated": "2026-04-02T18:29:01.740Z", "dateReserved": "2026-03-30T18:41:20.754Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T18:29:01.740Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exposed in the REST API response at /api/user/v1/accounts/. This issue has been patched in the ulmo release."}], "id": "CVE-2026-34736", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T19:21:32.867", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openedx/openedx-platform/commit/ad342ae16e6af0b46460ca05f47697ac755feba8"}, {"source": "security-advisories@github.com", "url": "https://github.com/openedx/openedx-platform/security/advisories/GHSA-m6rg-rp98-4crw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[maple,ulmo)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "openedx-platform", "vendor": "openedx"}], "analysis": {"en": {"generated_at": "2026-04-02T22:23:21.299896+00:00", "value": {"mitigation_remediation": ["Upgrade to the ulmo release or later, which contains the patch", "If an upgrade is not immediately possible, remove the activation_key field from the /api/user/v1/accounts/ response and disable OAuth2 password grants for inactive users", "Verify that the email verification flow enforces account activation before allowing platform access"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized account activation"}, "threat_synthesis": {"affected_systems": "The issue affects the Open edX Platform (openedx:openedx-platform). It exists in all releases from the maple version through and including releases prior to ulmo. The ulmo release contains the patch.", "description_and_impact": "The vulnerability allows an unauthenticated attacker to bypass the email verification process in Open edX Platform. By exploiting the fact that OAuth2 password grants are issued to inactive users and that the activation_key is exposed in the /api/user/v1/accounts/ REST API response, the attacker can obtain a valid activation key and create a session for the account without confirming the user\u2019s email. This results in unauthorized activation of a user account, potentially granting the attacker access to course content, instructor privileges, or administrative functions, depending on the account role.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. Because no authentication is required and the exploit relies solely on reading a public API and constructing an OAuth2 token, the attack vector is likely remote and trivial to employ for an attacker with internet access. EPSS is currently unknown and the vulnerability is not listed in the CISA KEV catalog, but the combination of credential exposure and authentication bypass still warrants prompt remediation."}}}}, "created": "2026-04-03T08:57:59.891303+00:00", "updated": "2026-04-03T09:16:42.898873+00:00", "vendors": ["openedx", "openedx$PRODUCT$openedx-platform"]}