CVE-2026-31946
Received Received - Intake

JWT Signature Bypass in OpenOLAT OpenID Connect Impacts Authentication

Vulnerability report for CVE-2026-31946, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-30

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-30
Last Modified
2026-04-02
Generated
2026-07-06
AI Q&A
2026-03-31
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
frentix openolat From 10.5.4 (inc) to 20.2.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenOLAT's OpenID Connect implicit flow implementation from versions 10.5.4 to before 20.2.5. The issue is that the system does not verify the cryptographic signatures of JSON Web Tokens (JWTs). Specifically, the JSONWebToken.parse() method ignores the signature part of the JWT, and the methods that retrieve access tokens only validate claim-level fields such as issuer, audience, state, and nonce without checking the signature against the Identity Provider's JWKS endpoint.

Because the signature is not verified, an attacker could potentially forge tokens and gain unauthorized access.

This vulnerability was fixed in OpenOLAT version 20.2.5.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers to bypass authentication by forging JWTs without valid signatures.

  • Unauthorized access to user accounts or sensitive information.
  • Potential full compromise of the affected OpenOLAT system.
  • Loss of confidentiality, integrity, and availability of the system and its data.
Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenOLAT to version 20.2.5 or later, where the issue with JWT signature verification in the OpenID Connect implicit flow has been patched.

Compliance Impact

The vulnerability in OpenOlat's OpenID Connect implicit flow implementation allows JWT signatures to go unverified, which can lead to unauthorized access and compromise of sensitive data.

Such a security flaw can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strong authentication mechanisms and protection of personal and sensitive information.

Failure to verify JWT signatures undermines the integrity and authenticity of user sessions, potentially leading to data breaches that violate these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart