OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover

Description

A critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. The issue has been fixed.

Advisory: https://github.com/th30d4y/OpenLearnX/security/advisories/GHSA-223g-f5mq-gw33

Recommendation

Update the openlearnx package to the latest compatible version. Followings are version details:

• Affected version(s): < 2.0.4
• Patched version(s): 2.0.4

References

• GHSA-223g-f5mq-gw33
• CVE-2026-44720
• CWE-287
• CWE-347
• CAPEC-310
• OWASP 2021-A2
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - payload - CVE-2026-34751
• Parse Server OAuth2 authentication adapter account takeover via identity spoofing - CVE-2026-30967
• Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - CVE-2026-34751
• Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter - CVE-2026-27804

You might also like:

How do hackers hack websites?

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Update Cheat Sheet for Developers

Tags:

npm

openlearnx