{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35610", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T21:25:12.163Z", "datePublished": "2026-04-07T16:56:57.483Z", "dateUpdated": "2026-04-07T18:32:36.607Z"}, "containers": {"cna": {"title": "PolarLearn has a Server Action Admin Bypass in Account Management Actions", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-8hww-w7cc-77rj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-8hww-w7cc-77rj"}], "affected": [{"vendor": "polarnl", "product": "PolarLearn", "versions": [{"version": "<= 0-PRERELEASE-14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:56:57.483Z"}, "descriptions": [{"lang": "en", "value": "PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassword(userId, password) and deleteUser(userId) in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute both actions, while real admins were rejected. This is a direct privilege-escalation issue in the application."}], "source": {"advisory": "GHSA-8hww-w7cc-77rj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T18:32:10.510698Z", "id": "CVE-2026-35610", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:32:36.607Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:polarlearn:polarlearn:-:*:*:*:*:*:*:*", "matchCriteriaId": "98DA1036-1EFB-46E7-9C83-425B1C6E6F23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassword(userId, password) and deleteUser(userId) in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute both actions, while real admins were rejected. This is a direct privilege-escalation issue in the application."}], "id": "CVE-2026-35610", "lastModified": "2026-04-16T18:04:50.313", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T17:16:35.260", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-8hww-w7cc-77rj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0-PRERELEASE-14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "PolarLearn", "source": "cna", "vendor": "polarnl"}, "product": "polarlearn", "vendor": "polarnl"}], "analysis": {"en": {"generated_at": "2026-04-07T22:44:07.369107+00:00", "value": {"mitigation_remediation": ["Upgrade PolarLearn to version 0-PRERELEASE\u201115 or later, where the inverted admin check has been fixed."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "PolarLearn, the free and open\u2011source learning platform from polarnl, is affected in all releases up to and including 0\u2011PRERELEASE\u201114. Versions released after 0\u2011PRERELEASE\u201114 contain a corrected check and are no longer vulnerable.", "description_and_impact": "A flaw in PolarLearn\u2019s account\u2011management module reverses the administrative check for the setCustomPassword and deleteUser functions, allowing any authenticated, non\u2011admin user to invoke these actions while real administrators are denied. This inversion grants ordinary users the ability to reset passwords for any account and delete users, effectively elevating their privileges to system administrators. The weakness is identified as CWE\u2011285: Improper Authorization.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity issue. Although no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the attack scenario is straightforward: an authenticated non\u2011admin user simply sends requests to the vulnerable endpoints while maintaining an active session. As a result, any user with valid credentials can acquire full administrative control, compromising all data and system integrity."}}}}, "created": "2026-04-08T19:36:32.753355+00:00", "updated": "2026-04-08T19:47:35.549575+00:00", "vendors": ["polarnl", "polarnl$PRODUCT$polarlearn"]}