CVE-2026-42858
Open edX Platform SAML Metadata URL Redirection
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| edx | open_edx | * |
| openedx | openedx_platform | to master (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with Enterprise Admin privileges to perform Server-Side Request Forgery (SSRF) attacks, potentially accessing internal network services and cloud metadata endpoints. This can lead to unauthorized access to sensitive information such as cloud credentials and internal APIs.
Such unauthorized access and potential data exposure could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and protection against unauthorized disclosure.
By enabling attackers to escalate privileges beyond their intended scope and access internal resources, the vulnerability increases the risk of data breaches and non-compliance with data protection requirements.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to internal network services and cloud metadata endpoints, which can lead to the theft of cloud credentials by accessing instance metadata services.
An attacker can also scan internal networks, access internal APIs, and exfiltrate sensitive information through error messages and timing differences.
The vulnerability represents a significant privilege escalation beyond the intended scope of the Enterprise Admin role, potentially compromising cloud infrastructure and internal resources.
Can you explain this vulnerability to me?
CVE-2026-42858 is a Server-Side Request Forgery (SSRF) vulnerability in the Open edX platform, specifically in the sync_provider_data endpoint of the SAMLProviderDataViewSet. Authenticated Enterprise Admin users can supply an arbitrary URL via the metadata_url POST parameter, which is then used directly in an HTTP request without any validation, IP filtering, or scheme enforcement.
This lack of validation allows an attacker with Enterprise Admin privileges to force the server to make HTTP requests to internal network services, cloud metadata endpoints (such as AWS's 169.254.169.254), or other attacker-controlled destinations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Server-Side Request Forgery (SSRF) via the sync_provider_data endpoint where an authenticated Enterprise Admin can supply arbitrary URLs that the server fetches without validation.
Detection can focus on monitoring HTTP requests made by the Open edX platform to unusual or internal IP addresses, especially requests to cloud metadata endpoints like 169.254.169.254 or private IP ranges.
Suggested commands include network monitoring tools or logs inspection to identify outgoing HTTP requests from the server to internal or unexpected destinations.
- Use tcpdump or Wireshark to capture outgoing HTTP traffic from the Open edX server: tcpdump -i <interface> tcp port 80 or 443
- Check web server or application logs for POST requests to the sync_provider_data endpoint containing suspicious metadata_url parameters.
- Use curl or similar tools to test the endpoint with controlled inputs and observe server behavior or logs.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the fixes introduced in the referenced commits which add strict URL validation and IP filtering to prevent SSRF.
Specifically, the fix enforces HTTPS scheme, blocks access to loopback, link-local (including cloud metadata endpoints like 169.254.169.254), reserved IP addresses, and RFC 1918 private IP ranges by default.
Administrators should update the Open edX platform to include the validation function validate_saml_metadata_url() as implemented in commit 70a56246dd9c9df57c596e64bdd8a11b1d9da054.
Additionally, review and configure the SAML_METADATA_URL_ALLOW_PRIVATE_IPS setting appropriately, keeping it False unless there is a specific need to allow private IPs.
If immediate patching is not possible, restrict Enterprise Admin privileges and monitor for suspicious activity related to the sync_provider_data endpoint.