Medium severity5.3NVD Advisory· Published Apr 2, 2026· Updated Apr 3, 2026

CVE-2026-34736

Description

Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exposed in the REST API response at /api/user/v1/accounts/. This issue has been patched in the ulmo release.

Affected products

Openedx/Openedx Platformreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/openedx/openedx-platform/commit/ad342ae16e6af0b46460ca05f47697ac755feba8nvd
github.com/openedx/openedx-platform/security/advisories/GHSA-m6rg-rp98-4crwnvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000