Executive Summary

CVE-2026-42860 is a Server-Side Request Forgery (SSRF) vulnerability in the Open edX platform's edx-enterprise package, affecting versions 7.0.2 to 7.0.4.

An authenticated user with the Enterprise Admin role can set the metadata_source URL in SAMLProviderConfig to any arbitrary URL via a PATCH request, then trigger the server to fetch data from that URL using the sync_provider_data endpoint.

The server fetches the URL without enforcing HTTPS, IP filtering, or timeouts, allowing attackers to make HTTP requests to internal or malicious addresses.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to perform unauthorized server-side HTTP requests to internal services or cloud metadata endpoints.

• Access AWS, GCP, or Azure instance metadata services to steal IAM credentials.
• Scan internal networks that are not exposed to the internet.
• Interact with internal APIs that should be inaccessible externally.

Overall, it compromises confidentiality by exposing sensitive internal resources and credentials.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an authenticated Enterprise Admin user manipulating the metadata_source URL to trigger server-side HTTP requests. Detection can focus on monitoring for unusual or unauthorized PATCH requests to the SAMLProviderConfigViewSet endpoint and calls to the sync_provider_data endpoint.

Network detection can include monitoring outbound HTTP requests from the affected server to unusual or internal IP addresses, especially those in private or link-local ranges (e.g., 169.254.0.0/16, RFC 1918 ranges).

• Use web server or application logs to identify PATCH requests to the SAMLProviderConfigViewSet endpoint modifying the metadata_source field.
• Monitor calls to the sync_provider_data endpoint that trigger metadata fetches.
• On the server, use network monitoring tools or commands such as `netstat -anp | grep ESTABLISHED` or `ss -tunap` to identify unexpected outbound connections.
• Use packet capture tools like `tcpdump` or `wireshark` to analyze outbound HTTP requests to suspicious IP addresses.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the edx-enterprise package to version 7.0.5 or later, where the vulnerability is fixed.

Until the patch can be applied, implement network-level egress filtering to block outbound connections from the affected server to restricted IP ranges such as 169.254.0.0/16 and RFC 1918 private address spaces.

Restrict access to the SAMLProviderConfigViewSet PATCH endpoint to only trusted administrators and monitor usage closely.

Review and audit logs for any suspicious changes to the metadata_source field or calls to sync_provider_data.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to perform Server-Side Request Forgery (SSRF) to access internal services and cloud metadata endpoints, potentially leading to the theft of IAM credentials and unauthorized access to sensitive internal APIs.

Such unauthorized access and potential data exposure can compromise the confidentiality of sensitive information, which may impact compliance with data protection standards and regulations like GDPR and HIPAA that require strict controls over access to personal and sensitive data.

Therefore, exploitation of this vulnerability could lead to violations of these regulations due to unauthorized data access and insufficient security controls.

Useful 0 Not Useful 0