PolarLearn Session Creation Vulnerability for Banned Accounts Allowing Unauthorized Access

Vulnerability

A vulnerability in PolarLearn versions through v0-PRERELEASE-15 allows banned accounts to create valid sessions via the POST /api/v1/auth/sign-in endpoint. This occurs before the supplied password is verified, enabling unauthorized access to account data and authenticated actions as the banned user. The issue arises because the sign-in process does not properly enforce bans before session creation, and the resulting sessions are accepted across authenticated API routes.

Impact

Exploitation of this vulnerability allows access to a banned user's account data and the ability to perform authenticated actions on their behalf, until the session expires.

Added: Apr 7, 2026, 9:10 PM

Updated: Apr 7, 2026, 9:10 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

4.8

remediation

0.0

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

4.8

remediation

0.0

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PolarLearn Session Creation Vulnerability for Banned Accounts Allowing Unauthorized Access

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating