Home / Vulnerability Intelligence / CVE-2026-31946

CVE-2026-31946 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 1, 2026

OpenOlat - Authentication Bypass

Published: March 30, 2026Updated: April 1, 2026Remote Exploitable

Overview

OpenOlat 10.5.4 to < 20.2.5 contains a broken authentication caused by lack of JWT signature verification in OpenID Connect implicit flow, letting attackers bypass authentication, exploit requires crafted JWT tokens.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 3.8%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass authentication by using unsigned or tampered JWT tokens, potentially gaining unauthorized access.

Mitigation

Update to version 20.2.5 or later.

References

https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-v8vp-x4q4-2vch

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 30, 2026

🔴 CVE-2026-31946 - Critical (9.8) OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31946/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-31946
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: unconfirmed
EPSS: 3.8%
Social Posts: 1

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.8%Probability of exploitation in the next 30 days