CVE-2026-42860
Description
The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the sync_provider_data endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadata_source. An authenticated user with the Enterprise Admin role can set this field to an arbitrary URL via the SAMLProviderConfigViewSet PATCH endpoint, then trigger a server-side HTTP request by calling sync_provider_data. The fetch in fetch_metadata_xml() passes the URL directly to requests.get() with no scheme enforcement, IP filtering, or timeout. This vulnerability is fixed in 7.0.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
edx-enterprisePyPI | >= 7.0.2, < 7.0.5 | 7.0.5 |
Affected products
2- Range: >= 7.0.2, <= 7.0.4
Patches
Vulnerability mechanics
References
4- github.com/openedx/edx-enterprise/security/advisories/GHSA-64cv-vxpr-j6vcnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-64cv-vxpr-j6vcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42860ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/edx-enterprise/PYSEC-2026-58.yamlghsaWEB
News mentions
0No linked articles in our index yet.