CVE-2026-41243 PUBLISHED

OpenLearn's pending forum posts remain publicly readable by direct ID when moderation mode is enabled

Assigner: GitHub_M
Reserved: 18.04.2026 Published: 23.04.2026 Updated: 23.04.2026

OpenLearn is open-source educational forum software. Prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab, when safeMode is enabled, unapproved forum posts are hidden from the public list, but the direct post-read procedure still returns the full post to anyone with the post UUID. Commit 844b2a40a69d0c4911580fe501923f0b391313ab fixes the issue.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	siemvk
Product	OpenLearn
Versions	Version < 844b2a40a69d0c4911580fe501923f0b391313ab is affected

References

Problem Types

CWE-284: Improper Access Control CWE