Open edX Platform Vulnerability in URL Redirection Logic
CVE-2026-35404

4.7MEDIUM

Key Information:

Vendor: Openedx
Status: Openedx-platform
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35404?

The Open edX Platform contains a vulnerability that allows for unvalidated URL redirection via the view_survey endpoint. An attacker can exploit this issue by providing a non-existent survey name, resulting in the server redirecting to a malicious URL. This compromised URL can be used to carry out phishing and credential theft attacks against authenticated users of the platform. Additionally, the unvalidated URL is unknowingly embedded within a hidden form field and returned in a JSON response, exacerbating the risk through client-side JavaScript execution. A fix has been implemented in a recent commit.

Affected Version(s)

openedx-platform < 76462f1e5fa9b37d2621ad7ad19514b403908970

References

https://github.com/openedx/openedx-platform/security/advi...

x_refsource_CONFIRM

https://github.com/openedx/openedx-platform/commit/76462f...

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35404 Data

JSON

Openedx

What is CVE-2026-35404?

Affected Version(s)

References

CVSS V3.1

Timeline