CVE-2025-68270
Improper Access Control in Open edX CourseLimitedStaffRole
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| edx | open_edx | * |
| openedx | edx_platform | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Open edX Platform involves improper access control related to the CourseLimitedStaffRole. Users granted this role at the organizational level, rather than on a specific course, can access and edit courses in the Studio interface, which they are not supposed to do. They can also list courses they have the role on within Studio, despite not being intended to have any Studio access for those courses. The issue arises because CourseLimitedStaffRole is a subclass of CourseStaffRole, and the system incorrectly assumes subclasses grant more access rather than less. This flaw allows users with limited privileges to gain unauthorized access and editing capabilities in Studio. [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can have a critical impact by allowing unauthorized users with the CourseLimitedStaffRole to access and modify course content in the Studio interface. This leads to high impacts on confidentiality and integrity, as sensitive course data can be accessed and altered without proper authorization. The vulnerability is remotely exploitable with low complexity and requires only low privileges, making it easy for attackers to exploit. The availability impact is low, but the unauthorized data access and modification pose significant risks to the security and trustworthiness of the platform. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should apply the patches that fix the improper access control for the CourseLimitedStaffRole in the Open edX platform. Specifically, update your edx-platform installation to include the commits and backport pull requests #37772 and #37773, which implement strict role checking to prevent CourseLimitedStaffRole users from accessing or editing courses in Studio beyond their intended permissions. These patches have been merged into the ulmo and master branches. Ensuring your platform is updated to these versions will address the vulnerability. [2, 3, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users with limited privileges to access and edit course content in the Open edX Studio interface, leading to high impacts on confidentiality and integrity of data. This unauthorized access and modification risk could potentially lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls on access to sensitive information. However, no explicit mention of compliance impact with these standards is provided in the resources. [2]