Executive Summary

CVE-2026-34736 is a moderate severity vulnerability in the Open edX platform that allows an unauthenticated attacker to bypass the email verification process.

This is possible because of two combined issues: first, the OAuth2 password grant issues authentication tokens to inactive users (which is documented behavior); second, the activation_key is exposed in the REST API response at the endpoint /api/user/v1/accounts/.

By exploiting these, an attacker can activate accounts without needing access to the user's email verification link.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to activate user accounts without proper email verification, which compromises the integrity of the account activation process.

An attacker can register an account, obtain an OAuth2 token despite the account being inactive, retrieve the activation_key from the API response, and activate the account by sending a request with that key.

This unauthorized activation could lead to unauthorized modifications of account states, potentially allowing attackers to bypass intended security controls.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Open edX platform version in use is between the maple release and before the ulmo release, as these versions expose the activation_key in the REST API response.

Specifically, you can test the presence of the activation_key field by sending an unauthenticated GET request to the endpoint /api/user/v1/accounts/ or /api/user/v1/accounts/{username} and inspecting the JSON response for the activation_key field.

A sample command using curl to check this would be:

• curl -s https://your-openedx-instance/api/user/v1/accounts/{username} | grep activation_key

If the activation_key is present in the response, the system is vulnerable to this issue.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Open edX platform to the ulmo release or later, where this vulnerability has been patched.

The patch removes the activation_key field from the user account REST API responses, preventing unauthorized access to the activation key and thus blocking the email verification bypass.

Until the upgrade can be performed, restrict access to the /api/user/v1/accounts/ endpoint to authenticated and authorized users only, if possible, to reduce exposure.

Additionally, monitor for any suspicious account activations that could indicate exploitation of this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an unauthenticated attacker to bypass the email verification process and activate user accounts without proper verification. This unauthorized account activation could lead to integrity issues by enabling unauthorized modifications to user account status.

While the vulnerability does not impact confidentiality or availability, the ability to activate accounts without verification may undermine trust in user identity validation processes, which could have implications for compliance with standards that require strong user authentication and identity verification, such as GDPR and HIPAA.

However, there is no explicit information in the provided resources about direct effects on compliance with GDPR, HIPAA, or other regulations.

Useful 0 Not Useful 0