CVE-2026-35404
Modified Modified - Updated After Analysis
Open edX Open Redirect Enables Phishing and Credential Theft

Publication date: 2026-04-06

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Open edX Platform enables the authoring and delivery of online learning at any scale. The view_survey endpoint accepts a redirect_url GET parameter that is passed directly to HttpResponseRedirect() without any URL validation. When a non-existent survey name is provided, the server issues an immediate HTTP 302 redirect to the attacker-controlled URL. Additionally, the same unvalidated URL is embedded in a hidden form field and returned in a JSON response after form submission, where client-side JavaScript performs location.href = url. This enables phishing and credential theft attacks against authenticated Open edX users. This vulnerability is fixed with commit 76462f1e5fa9b37d2621ad7ad19514b403908970.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35404
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openedx openedx to 2026-04-02 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Open edX Platform's view_survey endpoint, which accepts a redirect_url GET parameter without validating the URL. When a non-existent survey name is provided, the server immediately redirects users to an attacker-controlled URL using an HTTP 302 redirect. Additionally, this unvalidated URL is embedded in a hidden form field and returned in a JSON response after form submission, where client-side JavaScript uses it to change the location.href. This behavior enables attackers to conduct phishing and credential theft attacks against authenticated Open edX users.

Impact Analysis

This vulnerability can lead to phishing and credential theft attacks targeting authenticated users of the Open edX Platform. Attackers can redirect users to malicious websites controlled by them, potentially tricking users into revealing sensitive information such as login credentials.

Mitigation Strategies

The vulnerability is fixed with commit 76462f1e5fa9b37d2621ad7ad19514b403908970. Applying this fix or updating to a version of Open edX that includes this commit is the immediate step to mitigate the vulnerability.

Compliance Impact

The vulnerability enables phishing and credential theft attacks against authenticated Open edX users by allowing unvalidated redirects to attacker-controlled URLs. This can lead to unauthorized access to user credentials and potentially personal data.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding user data and preventing unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35404. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart