CVE-2026-25126
Improper Input Validation in PolarLearn Vote API Enables Logic Bypass
Publication date: 2026-01-29
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| polarlearn | polarlearn | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in PolarLearn prior to version 0-PRERELEASE-15 involves the vote API route (`POST /api/v1/forum/vote`) trusting the JSON body's `direction` value without runtime validation. Since TypeScript types are not enforced at runtime, an attacker can send arbitrary strings as the `direction` value. The downstream VoteServer treats any value other than "up" or null as a downvote and stores this invalid value in votes_data. This allows an attacker to bypass the intended business logic related to voting.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to manipulate the voting system in PolarLearn. They can send arbitrary values to the vote API, causing invalid votes to be recorded and potentially bypassing intended business rules. This could lead to inaccurate vote counts, manipulation of forum content ranking, or other unintended behaviors affecting the integrity of the voting system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade PolarLearn to version 0-PRERELEASE-15 or later, which fixes the vulnerability by adding runtime validation to the vote API route's 'direction' value.