Unauthenticated Group Chat Vulnerability in PolarLearn by Polar NL
CVE-2026-25885

10CRITICAL

Key Information:

Vendor: Polarnl
Status: Polarlearn
Vendor: CVE Published:; 9 February 2026

What is CVE-2026-25885?

PolarLearn is a free and open-source educational application that suffers from an unauthenticated access vulnerability. Users can connect to the group chat feature via a WebSocket without requiring login credentials. By simply providing the group UUID, any unauthorized client can subscribe to and send messages in any group chat. This leads to potential misuse as messages get stored in the group’s chatContent, posing a significant security risk beyond visual spam, impacting user privacy and the integrity of group discussions.

Affected Version(s)

PolarLearn < 0-PRERELEASE-16

References

https://github.com/polarnl/PolarLearn/security/advisories...

x_refsource_CONFIRM

https://github.com/polarnl/PolarLearn/commit/3ba588fda0d3...

x_refsource_MISC

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 9, 2026
Vulnerability Reserved
Feb 6, 2026

CVE-2026-25885 Data

JSON

Polarnl

What is CVE-2026-25885?

Affected Version(s)

References

CVSS V4

Timeline