CVE-2026-35404: Open edX Platform CSRF Vulnerability

CVE-2026-35404 Overview

CVE-2026-35404 is an Open Redirect vulnerability affecting the Open edX Platform, an open-source learning management system that enables authoring and delivery of online learning at any scale. The view_survey endpoint accepts a redirect_url GET parameter that is passed directly to HttpResponseRedirect() without any URL validation. When a non-existent survey name is provided, the server issues an immediate HTTP 302 redirect to an attacker-controlled URL. Additionally, the same unvalidated URL is embedded in a hidden form field and returned in a JSON response after form submission, where client-side JavaScript performs location.href = url. This enables phishing and credential theft attacks against authenticated Open edX users.

Critical Impact

Authenticated Open edX users can be redirected to malicious sites, enabling phishing attacks and credential theft through the unvalidated redirect_url parameter in the survey endpoint.

Affected Products

• Open edX Platform (versions prior to commit 76462f1e5fa9b37d2621ad7ad19514b403908970)

Discovery Timeline

• 2026-04-06 - CVE-2026-35404 published to NVD
• 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-35404

Vulnerability Analysis

This Open Redirect vulnerability (CWE-601) exists in the view_survey endpoint within lms/djangoapps/survey/views.py. The vulnerability stems from the application's failure to validate user-supplied URLs before using them in redirect operations. The redirect_url GET parameter is accepted directly from user input and passed to Django's HttpResponseRedirect() function without any sanitization or validation to ensure the URL points to a trusted domain.

The attack surface is expanded through multiple vectors: the server-side HTTP 302 redirect when a non-existent survey name is provided, the embedding of the unvalidated URL in hidden form fields, and the client-side JavaScript redirect via location.href. This multi-vector approach makes the vulnerability particularly effective for social engineering attacks against Open edX users.

Root Cause

The root cause is improper input validation in the view_survey endpoint. The application directly accepts the redirect_url GET parameter from user input and uses it in redirect operations without verifying that the destination URL belongs to a trusted domain. This violates the principle of input validation and allows attackers to abuse the legitimate redirect functionality to direct users to malicious external sites.

Attack Vector

An attacker can craft a malicious URL targeting an Open edX installation that includes an attacker-controlled domain in the redirect_url parameter. When an authenticated user clicks this link, they are seamlessly redirected to the malicious site while believing they are still interacting with the trusted Open edX platform. This enables sophisticated phishing attacks where the attacker's site can mimic the Open edX login page to harvest credentials, or serve malware to the victim.

The attack requires user interaction (clicking the malicious link), and because Open edX is an educational platform, attackers could distribute these links through course forums, emails appearing to be from instructors, or other channels where students would expect legitimate Open edX links.

# Vulnerable code in lms/djangoapps/survey/views.py
# The redirect_url parameter was passed without validation
    """
    View to render the survey to the end user
    """
-    redirect_url = request.GET.get('redirect_url')
-
-    return view_student_survey(request.user, survey_name, redirect_url=redirect_url)
+    return view_student_survey(request.user, survey_name)


def view_student_survey(user, survey_name, course=None, redirect_url=None, is_required=False, skip_redirect_url=None):

Source: GitHub Commit

Detection Methods for CVE-2026-35404

Indicators of Compromise

• HTTP requests to /survey/ endpoints containing redirect_url parameters with external domains
• Unusual HTTP 302 redirects from the Open edX platform to external untrusted domains
• User reports of unexpected redirects when interacting with survey links
• Web server logs showing survey endpoint requests with suspicious URL-encoded external domains in the redirect_url parameter

Detection Strategies

• Monitor web application firewall (WAF) logs for requests to survey endpoints containing external URLs in the redirect_url parameter
• Implement URL pattern detection rules to flag requests where redirect_url contains domains not on an allowlist
• Review access logs for survey endpoint requests that result in 302 redirects to external domains
• Deploy network-level monitoring to detect outbound redirects from the Open edX platform to untrusted destinations

Monitoring Recommendations

• Configure centralized logging for all survey endpoint access with full query string capture
• Set up alerting for high volumes of 302 redirects from survey endpoints
• Implement user behavior analytics to detect unusual navigation patterns indicative of phishing attempts
• Regularly audit survey-related URLs shared in course communications and forums

How to Mitigate CVE-2026-35404

Immediate Actions Required

• Apply the security patch by updating to a version containing commit 76462f1e5fa9b37d2621ad7ad19514b403908970
• Review web server logs for evidence of exploitation attempts targeting the survey endpoint
• Alert users about potential phishing attempts using Open edX survey links
• Consider temporarily disabling the survey functionality if immediate patching is not possible

Patch Information

The vulnerability has been fixed in commit 76462f1e5fa9b37d2621ad7ad19514b403908970. The fix removes the ability to pass the redirect_url parameter through the GET request, effectively eliminating the open redirect attack vector. Organizations running Open edX should update to a version containing this fix as soon as possible.

For detailed patch information, refer to the GitHub Security Advisory and the commit details.

Workarounds

• Implement WAF rules to block or sanitize requests to the survey endpoint containing redirect_url parameters with external domains
• Configure a reverse proxy to strip or validate the redirect_url parameter before it reaches the application
• Deploy a Content Security Policy (CSP) that restricts frame ancestors and form actions to trusted domains
• Temporarily disable or restrict access to the survey functionality until the patch can be applied

# Example nginx configuration to block external redirect_url parameters
# Add to your Open edX nginx configuration
location ~ ^/survey/ {
    # Block requests with redirect_url containing http:// or https:// external domains
    if ($args ~* "redirect_url=https?://(?!your-trusted-domain\.com)") {
        return 403;
    }
    proxy_pass http://lms-backend;
}