{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25885", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-06T21:08:39.129Z", "datePublished": "2026-02-09T21:15:33.419Z", "dateUpdated": "2026-02-10T15:58:03.240Z"}, "containers": {"cna": {"title": "PolarLearn allows Unauthenticated WebSocket access allows subscribing to and posting in arbitrary group chats", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "baseScore": 10, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-gvjm-5pw7-6c8c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-gvjm-5pw7-6c8c"}, {"name": "https://github.com/polarnl/PolarLearn/commit/3ba588fda0d3f8e238483a20772719f27e52e79f", "tags": ["x_refsource_MISC"], "url": "https://github.com/polarnl/PolarLearn/commit/3ba588fda0d3f8e238483a20772719f27e52e79f"}], "affected": [{"vendor": "polarnl", "product": "PolarLearn", "versions": [{"version": "< 0-PRERELEASE-16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T21:15:33.419Z"}, "descriptions": [{"lang": "en", "value": "PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated client can subscribe to any group chat by providing a group UUID, and can also send messages to any group. The server accepts the message and stores it in the group\u2019s chatContent, so this is not just a visual spam issue."}], "source": {"advisory": "GHSA-gvjm-5pw7-6c8c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:39:32.428972Z", "id": "CVE-2026-25885", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:58:03.240Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25885", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:39:32.428972Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:39:33.292Z"}}], "cna": {"title": "PolarLearn allows Unauthenticated WebSocket access allows subscribing to and posting in arbitrary group chats", "source": {"advisory": "GHSA-gvjm-5pw7-6c8c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "polarnl", "product": "PolarLearn", "versions": [{"status": "affected", "version": "< 0-PRERELEASE-16"}]}], "references": [{"url": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-gvjm-5pw7-6c8c", "name": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-gvjm-5pw7-6c8c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/polarnl/PolarLearn/commit/3ba588fda0d3f8e238483a20772719f27e52e79f", "name": "https://github.com/polarnl/PolarLearn/commit/3ba588fda0d3f8e238483a20772719f27e52e79f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated client can subscribe to any group chat by providing a group UUID, and can also send messages to any group. The server accepts the message and stores it in the group\u2019s chatContent, so this is not just a visual spam issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T21:15:33.419Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25885", "state": "PUBLISHED", "dateUpdated": "2026-02-10T15:58:03.240Z", "dateReserved": "2026-02-06T21:08:39.129Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T21:15:33.419Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:polarlearn:polarlearn:-:*:*:*:*:*:*:*", "matchCriteriaId": "98DA1036-1EFB-46E7-9C83-425B1C6E6F23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated client can subscribe to any group chat by providing a group UUID, and can also send messages to any group. The server accepts the message and stores it in the group\u2019s chatContent, so this is not just a visual spam issue."}, {"lang": "es", "value": "PolarLearn es un programa de aprendizaje de c\u00f3digo abierto y gratuito. En 0-PRERELEASE-16 y versiones anteriores, el WebSocket de chat grupal en wss://polarlearn.nl/API/v1/ws puede utilizarse sin iniciar sesi\u00f3n. Un cliente no autenticado puede suscribirse a cualquier chat grupal proporcionando un UUID de grupo, y tambi\u00e9n puede enviar mensajes a cualquier grupo. El servidor acepta el mensaje y lo almacena en el chatContent del grupo, por lo que esto no es solo un problema de correo no deseado visual."}], "id": "CVE-2026-25885", "lastModified": "2026-02-20T20:47:36.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T22:16:03.583", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/polarnl/PolarLearn/commit/3ba588fda0d3f8e238483a20772719f27e52e79f"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-gvjm-5pw7-6c8c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0-PRERELEASE-16)"}}], "product": "polarlearn", "vendor": "polarnl"}], "analysis": {"en": {"generated_at": "2026-04-17T21:09:33.131349+00:00", "value": {"mitigation_remediation": ["Upgrade PolarLearn to version 0\u2011PRERELEASE\u201117 or later where the WebSocket endpoint requires authentication.", "If an upgrade cannot occur immediately, block external access to the WebSocket endpoint with a firewall or reverse proxy, allowing only trusted internal hosts to connect.", "Configure the server to log and alert on anomalous message traffic and periodically review group chatContent for integrity."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Write to Group Chats"}, "threat_synthesis": {"affected_systems": "polarnl PolarLearn versions 0\u2011PRERELEASE\u201116 and earlier are affected.", "description_and_impact": "The vulnerability lies in the PolarLearn group chat WebSocket, which can be accessed without authentication. An unauthenticated client can subscribe to any group chat by providing its UUID and can also post messages to that group. These messages are accepted by the server and stored in the chatContent field, making the issue a data integrity and potential misinformation problem rather than just a visual spam issue. The weakness maps to CWE-285 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function).", "risk_and_exploitability": "The CVSS score of 10 indicates critical severity, while the EPSS score of less than 1% suggests that zero\u2011day exploitation is currently unlikely but still a risk. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote: any client with network access to wss://polarlearn.nl/api/v1/ws can open a WebSocket connection, provide a group UUID to subscribe, and then send arbitrary messages. No credentials are required, and the server stores those messages, resulting in persistent data tampering."}}}}, "created": "2026-02-10T11:35:04.145300+00:00", "updated": "2026-04-17T21:15:27.383323+00:00", "vendors": ["polarnl", "polarnl$PRODUCT$polarlearn"]}