CVE-2026-34736 Overview
Open edX Platform enables the authoring and delivery of online learning at any scale. A significant authentication bypass vulnerability has been identified in the platform that allows unauthenticated attackers to fully bypass the email verification process. This vulnerability affects versions from the Maple release to before the Ulmo release.
The flaw exists due to two combined issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exposed in the REST API response at /api/user/v1/accounts/. By exploiting these weaknesses together, an attacker can activate accounts without access to the associated email address, effectively circumventing a critical security control.
Critical Impact
Unauthenticated attackers can bypass email verification and activate arbitrary user accounts by combining OAuth2 token issuance to inactive users with exposed activation keys in the REST API.
Affected Products
- Open edX Platform Maple release through versions prior to Ulmo release
- Installations exposing the /api/user/v1/accounts/ REST API endpoint
- Deployments using OAuth2 password grant authentication
Discovery Timeline
- 2026-04-02 - CVE CVE-2026-34736 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34736
Vulnerability Analysis
This vulnerability is classified as CWE-287 (Improper Authentication) and represents an authentication bypass condition. The attack requires network access but no user interaction or special privileges, making it accessible to any remote attacker.
The vulnerability stems from a design oversight where sensitive account activation data is inadvertently exposed through a public API endpoint. When combined with the platform's documented behavior of issuing OAuth2 tokens to inactive users, this creates a complete bypass of the email verification workflow that organizations rely on to validate user identity.
The integrity impact allows attackers to modify account states without authorization, though confidentiality and availability are not directly affected. Organizations using Open edX for identity-sensitive applications such as credentialing, certifications, or gated content delivery are at particular risk.
Root Cause
The root cause is twofold:
Information Exposure: The activation_key field was inadvertently included in the account REST API serializer response at /api/user/v1/accounts/. This sensitive data should never be exposed through any API endpoint as it serves as a secret token for account activation.
Design Weakness: The OAuth2 password grant implementation issues valid tokens to inactive user accounts. While documented, this behavior becomes exploitable when combined with the activation key exposure.
Attack Vector
An attacker can exploit this vulnerability through the following attack flow:
- Create a new account on the Open edX platform without email verification
- Query the /api/user/v1/accounts/ REST API endpoint to retrieve account information
- Extract the activation_key from the API response
- Use the activation key to complete account activation without access to the email inbox
- Leverage the OAuth2 password grant to obtain valid authentication tokens
The following patch removes the activation_key from the API response to prevent the information disclosure:
"secondary_email_enabled",
"year_of_birth",
"phone_number",
- "activation_key",
"pending_name_change",
]
)
Source: GitHub Commit Details
The corresponding serializer change removes the activation key retrieval logic:
except ObjectDoesNotExist:
account_recovery = None
- try:
- activation_key = user.registration.activation_key
- except ObjectDoesNotExist:
- activation_key = None
-
data = {
"username": user.username,
"url": self.context.get('request').build_absolute_uri(
Source: GitHub Commit Details
Detection Methods for CVE-2026-34736
Indicators of Compromise
- Unusual API requests to /api/user/v1/accounts/ endpoint from unauthenticated or suspicious IP addresses
- Account activations occurring without corresponding email link clicks in mail server logs
- OAuth2 token grants to recently created accounts that bypassed normal email verification workflow
- Anomalous patterns of account creation followed immediately by activation without email interaction
Detection Strategies
- Implement monitoring for API requests to /api/user/v1/accounts/ and flag requests that include activation_key in responses (indicates unpatched systems)
- Correlate account activation events with email server delivery logs to identify activations without corresponding email verification
- Monitor OAuth2 token issuance patterns for tokens granted to accounts created within a short time window
- Deploy web application firewall rules to detect enumeration attempts against user account endpoints
Monitoring Recommendations
- Enable detailed API access logging for the /api/user/v1/accounts/ endpoint
- Set up alerts for bulk account creation patterns that may indicate exploitation attempts
- Monitor authentication logs for OAuth2 grants to accounts that never completed traditional email verification
- Review access control configurations to ensure the accounts API requires appropriate authentication
How to Mitigate CVE-2026-34736
Immediate Actions Required
- Upgrade Open edX Platform to the Ulmo release or later which contains the security fix
- Review recently created accounts for signs of unauthorized activation
- Temporarily restrict access to the /api/user/v1/accounts/ endpoint if immediate patching is not possible
- Audit OAuth2 token grants to identify any potentially compromised accounts
Patch Information
The vulnerability has been patched in the Open edX Platform Ulmo release. The fix removes the activation_key field from the account REST API response, preventing attackers from obtaining the secret activation token.
For detailed patch information, refer to:
Workarounds
- Implement network-level access controls to restrict access to the /api/user/v1/accounts/ endpoint to trusted internal services only
- Deploy a reverse proxy or API gateway rule to strip the activation_key field from API responses
- Consider requiring additional identity verification steps for sensitive operations beyond email verification
- Implement rate limiting on account creation and API access endpoints to slow down exploitation attempts
# Example nginx configuration to block activation_key exposure
# Add to your Open edX nginx configuration
location /api/user/v1/accounts/ {
# Restrict to authenticated users only as interim measure
auth_request /auth;
proxy_pass http://lms_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
