Critical severity9.8NVD Advisory· Published Mar 30, 2026· Updated Apr 2, 2026

CVE-2026-31946

Description

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.

Affected products

Frentix/Openolat
cpe:2.3:a:frentix:openolat:*:*:*:*:*:*:*:*
Range: >=10.5.4,<20.2.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-v8vp-x4q4-2vchnvdMitigationVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000