Executive Summary

CVE-2026-35610 is a high-severity privilege escalation vulnerability in the PolarLearn learning program (versions up to v0-PRERELEASE-14). It exists in the account-management module where two functions, setCustomPassword(userId, password) and deleteUser(userId), use an inverted admin authorization check.

Because of this flawed logic, authenticated non-admin users are mistakenly allowed to execute these privileged actions, while legitimate admin users are denied. This means non-admin users can set arbitrary passwords for other users and delete user accounts, actions that should be restricted to admins.

The root cause is an improper authorization check due to a negated inequality condition in the code, which reverses the intended access control.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any authenticated non-admin user to escalate their privileges by setting passwords on other user accounts and deleting user accounts.

• Account takeover: Attackers can set a new password for victim accounts and then log in as those users.
• Account deletion: Attackers can delete arbitrary user accounts, causing permanent disruption and loss of user data.

Overall, this leads to a severe compromise of confidentiality, integrity, and availability within the application.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing whether authenticated non-admin users are able to execute privileged actions that should be restricted to admins only.

Specifically, you can attempt to invoke the functions setCustomPassword(userId, password) and deleteUser(userId) as a non-admin user and observe if these actions succeed.

If these actions succeed, it indicates the presence of the inverted admin check vulnerability.

Suggested commands or steps include:

• Log in as a non-admin user.
• Invoke setCustomPassword with a victim user ID and a chosen password.
• Attempt to log in as the victim using the new password.
• Invoke deleteUser with the victim user ID to check if deletion is allowed.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves correcting the authorization logic in the account-management module to properly restrict privileged actions to admin users only.

Specifically, the authorization check should be changed from the flawed condition:

if (!operator || !(operator.role !== "admin")) { return { success: false, error: "Unauthorized" } }

to the correct condition:

if (!operator || operator.role !== "admin") { return { success: false, error: "Unauthorized" } }

Until a patched version is available, restrict access to the affected functions to trusted admin users only, or disable these functions if possible.

Additionally, monitor logs for suspicious activity such as non-admin users attempting to change passwords or delete accounts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated non-admin users to escalate privileges by setting arbitrary passwords on other user accounts and deleting user accounts. This leads to unauthorized access and potential data breaches.

Such unauthorized access and account takeover can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over user data confidentiality, integrity, and availability.

Specifically, the high severity of the vulnerability (CVSS 8.8) and its impact on confidentiality, integrity, and availability indicate a significant risk of non-compliance with these standards due to potential exposure or loss of sensitive personal or health information.

Useful 0 Not Useful 0