CVE-2026-31946: Critical JWT Signature Verification Bypass in OpenOlat E-Learning Platform

Executive Summary

A critical authentication bypass vulnerability (CVE-2026-31946) has been disclosed in OpenOlat, the widely used open-source e-learning and learning management system (LMS). The vulnerability carries a CVSS v3.1 score of 9.8 (Critical) and is classified as CWE-347: Improper Verification of Cryptographic Signature.

The flaw exists in OpenOlat's OpenID Connect (OIDC) implicit flow implementation, where the JSONWebToken.parse() method silently discards JWT signatures rather than validating them. This means an attacker can forge arbitrary JWT tokens — including those with elevated privilege claims — and authenticate as any user on the platform, including system administrators, without possessing valid credentials.

All OpenOlat versions from 10.5.4 to before 20.2.5 are affected. Institutions using OpenOlat for academic courses, certifications, or sensitive training content should patch immediately or disable OIDC authentication.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-31946
CVSS Score	9.8 (Critical)
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
CWE	CWE-347 — Improper Verification of Cryptographic Signature
Type	Authentication Bypass / Privilege Escalation
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High
Patch Available	Yes — version 20.2.5

Affected Versions

Product	Affected Versions	Fixed Version
OpenOlat	10.5.4 through 20.2.4 (inclusive)	20.2.5

Technical Analysis

Root Cause

OpenOlat's OIDC implementation uses a JSONWebToken.parse() helper to process incoming ID tokens from an identity provider. The critical flaw is that this method silently discards the JWT signature rather than verifying it against the identity provider's public key.

A JWT (JSON Web Token) is structured as three Base64-encoded segments separated by dots:

<header>.<payload>.<signature>

The signature segment is computed by the identity provider using its private key over the header and payload. The relying party (OpenOlat) must verify this signature against the IdP's published public key to confirm the token was legitimately issued. When JSONWebToken.parse() ignores the signature field, an attacker can craft a token with arbitrary claims — such as sub (subject/user ID), email, or role claims — and present it as a valid authentication assertion.

Attack Flow

1. Attacker identifies an OpenOlat instance with OIDC login enabled
2. Attacker crafts a JWT payload with arbitrary user claims:
   {
     "sub": "admin@university.edu",
     "email": "admin@university.edu",
     "roles": ["admin", "author"]
   }
3. Attacker base64url-encodes a fake header + crafted payload
4. Attacker appends an invalid or empty signature segment
5. Attacker submits the forged token to OpenOlat's OIDC callback endpoint
6. OpenOlat's JSONWebToken.parse() processes the token without checking the signature
7. Attacker is authenticated as the target user with full access

Why CVSS 9.8

The near-maximum CVSS score reflects:

No authentication required (PR:N) — attack is completely unauthenticated
No user interaction (UI:N) — fully automated exploitation
Low complexity (AC:L) — crafting a JWT requires trivial tooling
Full C/I/A impact — complete account takeover with admin-level access

Impact Assessment

Impact Area	Description
Full Account Takeover	Impersonate any user including system administrators
Academic Integrity Violation	Modify exam results, course completions, grades
Data Exfiltration	Access private course materials, student PII, assessment data
Content Manipulation	Alter or delete course content, announcements, assessments
Credential Harvesting	Potentially extract credentials if stored in user profiles
Compliance Exposure	FERPA (US), GDPR (EU) breach notifications for student data
Platform Disruption	Administrative access enables full platform reconfiguration

Affected Deployment Contexts

OpenOlat is used by universities, vocational training institutions, corporate training programs, and certification bodies. Compromise can expose:

Student personal data and academic records
Proprietary course content and intellectual property
Assessment materials and answer keys
Staff and faculty personally identifiable information

Immediate Remediation

Step 1: Update to OpenOlat 20.2.5

OpenOlat 20.2.5 introduces proper JWT signature verification using the identity provider's published JWKS (JSON Web Key Set) endpoint.

# Docker-based OpenOlat deployment
docker pull openolat/openolat:20.2.5
docker compose down && docker compose up -d
 
# Verify the running version
docker exec <openolat-container> cat /opt/openolat/version.properties | grep version

For traditional deployments, follow the OpenOlat upgrade documentation.

Step 2: Disable OIDC Authentication (Interim Mitigation)

If immediate patching is not possible, disable the OpenID Connect login method:

# In olat.local.properties — disable OIDC provider
olatprovider.enable=false
# Force all users to local authentication only

Restart the application server after the configuration change.

Step 3: Audit Authentication Logs

Review OIDC authentication events for suspicious patterns such as logins from unexpected IP addresses or logins for accounts that don't use SSO:

# OpenOlat logs unexpected OIDC authentications
# Check application logs for OIDC callback events
grep -i "oidc\|openid\|oauth" /opt/openolat/logs/olat.log | grep -i "login\|auth" | tail -200
 
# Look for admin-level OIDC logins from unusual sources
grep -i "role.*admin\|admin.*login" /opt/openolat/logs/olat.log | tail -100

Step 4: Rotate All Privileged Credentials

# Force password reset for all administrator accounts
# via OpenOlat Admin panel: Administration > User Management > Force Reset

Detection Indicators

Indicator	Description
OIDC logins from unexpected geographic regions	Account takeover via forged JWT
Admin logins outside business hours	Unauthorized privilege escalation
Unusual course modification or deletion events	Post-compromise data tampering
Bulk student data export events	Data exfiltration attempt
Account password changes for admin users	Attacker establishing persistence
Malformed JWT tokens in web access logs	Crafted tokens with invalid signatures

Post-Remediation Checklist

Update OpenOlat to 20.2.5 or later on all instances
Disable OIDC if patching is delayed, reverting to local authentication
Audit admin accounts — review for unauthorized additions or privilege changes
Review authentication logs for the vulnerable period for all OIDC logins
Notify affected users if unauthorized access is confirmed
Rotate all admin credentials after patching
Enable JWKS validation in OIDC configuration post-patch and verify it is active
Conduct GDPR/FERPA breach assessment if student PII exposure is confirmed

References

Executive Summary

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-31946
CVSS Score	9.8 (Critical)
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
CWE	CWE-347 — Improper Verification of Cryptographic Signature
Type	Authentication Bypass / Privilege Escalation
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High
Patch Available	Yes — version 20.2.5

Affected Versions

Product	Affected Versions	Fixed Version
OpenOlat	10.5.4 through 20.2.4 (inclusive)	20.2.5

Technical Analysis

Root Cause

A JWT (JSON Web Token) is structured as three Base64-encoded segments separated by dots:

<header>.<payload>.<signature>

Attack Flow

1. Attacker identifies an OpenOlat instance with OIDC login enabled
2. Attacker crafts a JWT payload with arbitrary user claims:
   {
     "sub": "admin@university.edu",
     "email": "admin@university.edu",
     "roles": ["admin", "author"]
   }
3. Attacker base64url-encodes a fake header + crafted payload
4. Attacker appends an invalid or empty signature segment
5. Attacker submits the forged token to OpenOlat's OIDC callback endpoint
6. OpenOlat's JSONWebToken.parse() processes the token without checking the signature
7. Attacker is authenticated as the target user with full access

Why CVSS 9.8

The near-maximum CVSS score reflects:

No authentication required (PR:N) — attack is completely unauthenticated
No user interaction (UI:N) — fully automated exploitation
Low complexity (AC:L) — crafting a JWT requires trivial tooling
Full C/I/A impact — complete account takeover with admin-level access

Impact Assessment

Impact Area	Description
Full Account Takeover	Impersonate any user including system administrators
Academic Integrity Violation	Modify exam results, course completions, grades
Data Exfiltration	Access private course materials, student PII, assessment data
Content Manipulation	Alter or delete course content, announcements, assessments
Credential Harvesting	Potentially extract credentials if stored in user profiles
Compliance Exposure	FERPA (US), GDPR (EU) breach notifications for student data
Platform Disruption	Administrative access enables full platform reconfiguration

Affected Deployment Contexts

OpenOlat is used by universities, vocational training institutions, corporate training programs, and certification bodies. Compromise can expose:

Student personal data and academic records
Proprietary course content and intellectual property
Assessment materials and answer keys
Staff and faculty personally identifiable information

Immediate Remediation

Step 1: Update to OpenOlat 20.2.5

OpenOlat 20.2.5 introduces proper JWT signature verification using the identity provider's published JWKS (JSON Web Key Set) endpoint.

# Docker-based OpenOlat deployment
docker pull openolat/openolat:20.2.5
docker compose down && docker compose up -d
 
# Verify the running version
docker exec <openolat-container> cat /opt/openolat/version.properties | grep version

For traditional deployments, follow the OpenOlat upgrade documentation.

Step 2: Disable OIDC Authentication (Interim Mitigation)

If immediate patching is not possible, disable the OpenID Connect login method:

# In olat.local.properties — disable OIDC provider
olatprovider.enable=false
# Force all users to local authentication only

Restart the application server after the configuration change.

Step 3: Audit Authentication Logs

Review OIDC authentication events for suspicious patterns such as logins from unexpected IP addresses or logins for accounts that don't use SSO:

# OpenOlat logs unexpected OIDC authentications
# Check application logs for OIDC callback events
grep -i "oidc\|openid\|oauth" /opt/openolat/logs/olat.log | grep -i "login\|auth" | tail -200
 
# Look for admin-level OIDC logins from unusual sources
grep -i "role.*admin\|admin.*login" /opt/openolat/logs/olat.log | tail -100

Step 4: Rotate All Privileged Credentials

# Force password reset for all administrator accounts
# via OpenOlat Admin panel: Administration > User Management > Force Reset

Detection Indicators

Indicator	Description
OIDC logins from unexpected geographic regions	Account takeover via forged JWT
Admin logins outside business hours	Unauthorized privilege escalation
Unusual course modification or deletion events	Post-compromise data tampering
Bulk student data export events	Data exfiltration attempt
Account password changes for admin users	Attacker establishing persistence
Malformed JWT tokens in web access logs	Crafted tokens with invalid signatures

Post-Remediation Checklist

Update OpenOlat to 20.2.5 or later on all instances
Disable OIDC if patching is delayed, reverting to local authentication
Audit admin accounts — review for unauthorized additions or privilege changes
Review authentication logs for the vulnerable period for all OIDC logins
Notify affected users if unauthorized access is confirmed
Rotate all admin credentials after patching
Enable JWKS validation in OIDC configuration post-patch and verify it is active
Conduct GDPR/FERPA breach assessment if student PII exposure is confirmed

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Flow

Why CVSS 9.8

Impact Assessment

Affected Deployment Contexts

Immediate Remediation

Step 1: Update to OpenOlat 20.2.5

Step 2: Disable OIDC Authentication (Interim Mitigation)

Step 3: Audit Authentication Logs

Step 4: Rotate All Privileged Credentials

Detection Indicators

Post-Remediation Checklist

References

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Flow

Why CVSS 9.8

Impact Assessment

Affected Deployment Contexts

Immediate Remediation

Step 1: Update to OpenOlat 20.2.5

Step 2: Disable OIDC Authentication (Interim Mitigation)

Step 3: Audit Authentication Logs

Step 4: Rotate All Privileged Credentials

Detection Indicators

Post-Remediation Checklist

References