Remote Code Execution Vulnerability in Open edX Platform Affecting Enterprise Admin Users
CVE-2026-42858

8.5HIGH

Key Information:

Vendor

Openedx

Status
Openedx-platform
Vendor
CVE Published:
11 May 2026

What is CVE-2026-42858?

The Open edX Platform features a serious issue within its sync_provider_data endpoint, which allows authenticated Enterprise Admin users to supply arbitrary URLs through the metadata_url POST parameter. This URL is processed by the fetch_metadata_xml() function without proper validation, leaving the system vulnerable to attacks. Malicious users with Enterprise Admin privileges can exploit this flaw to redirect server requests to internal services or attacker-controlled locations, potentially compromising sensitive data and system integrity. The vulnerability was addressed in the latest commits, ensuring enhanced security protocols.

Affected Version(s)

openedx-platform < 6fda1f120ff5a590d120ae1180185525f399c6d0

References

https://github.com/openedx/openedx-platform/security/advi...
x_refsource_CONFIRM
https://github.com/openedx/openedx-platform/commit/6fda1f...
x_refsource_MISC
https://github.com/openedx/openedx-platform/commit/70a562...
x_refsource_MISC

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.