Open edX Platform
Moderate fix1 remedy
cpe:2.3:a:open.edx:edx-platform:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= maple, < ulmo
Open edX Platform Activation Bypass Vulnerability via Activation Key Exposure in REST API
Vulnerability
Patched
A vulnerability in the Open edX Platform allows an unauthenticated attacker to bypass the email verification process. This issue arises from the OAuth2 password grant issuing tokens to inactive users, combined with the activation key being exposed in the REST API response at '/api/user/v1/accounts/'. The vulnerability is present in Open edX versions from the maple release to prior to the ulmo release.
Impact
Exploitation of this vulnerability allows for unauthorized account activation, bypassing the email verification process.
Reproduction
To reproduce this vulnerability, an attacker can register a new account and receive an OAuth2 token, despite the account being inactive. The activation key, which is normally a secret used for email verification, is exposed in the API response. The attacker can then use this key to activate the account via the '/activate/{key}' endpoint, without accessing the email.
Remediation
This vulnerability has been patched in the Open edX ulmo release. Users should update to this version.
Added: Apr 2, 2026, 9:38 PM
Updated: Apr 2, 2026, 9:38 PM
Vulnerability Rating
Custom Algorithm
spread
2.2impact
0.6exploitability
6.8remediation
7.7relevance
5.1threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.