Access Control Vulnerability in Open edX Platform
CVE-2025-68270

9.9CRITICAL

Key Information:

Vendor

Openedx

Status
Edx-platform
Vendor
CVE Published:
16 December 2025

What is CVE-2025-68270?

The Open edX Platform faced a vulnerability allowing CourseLimitedStaffRole users to improperly access and edit course materials within the studio environment. This occurred when users were granted roles at the organization level instead of on a per-course basis. As a result, these users could see and modify courses they were not intended to access. The issue has been resolved with the commit 05d0d0936daf82c476617257aa6c35f0cd4ca060, which restricts the privileges of CourseLimitedStaffRole users to ensure appropriate access levels.

Affected Version(s)

edx-platform < 05d0d0936daf82c476617257aa6c35f0cd4ca060

References

https://github.com/openedx/edx-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/openedx/edx-platform/pull/37772
x_refsource_MISC
https://github.com/openedx/edx-platform/pull/37773
x_refsource_MISC

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.