Threat Advisory

edx-enterprise Vulnerability Leaks Cloud Credentials with Server Side Interactions

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-42860, with a CVSS score of 8.5, is a Server-Side Request Forgery (SSRF) vulnerability in the edx-enterprise package. It exists in the SAML provider configuration workflow where an authenticated Enterprise Admin can submit a crafted URL via the SAMLProviderConfig endpoint, which is then directly processed by requests.get() without proper validation such as scheme restrictions, IP filtering, or timeout enforcement. This flaw allows the server to make arbitrary outbound HTTP requests, enabling attackers to access internal services, probe private network infrastructure, and retrieve cloud metadata credentials from environments like AWS, GCP, or Azure. Successful exploitation could lead to exposure of sensitive internal APIs, credential theft, and potential compromise of underlying cloud infrastructure, provided the attacker has Enterprise Admin privileges within a configured SAML-enabled enterprise deployment.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-42860, with a CVSS score of 8.5, is a Server-Side Request Forgery (SSRF) vulnerability in the edx-enterprise package. It exists in the SAML provider configuration workflow where an authenticated Enterprise Admin can submit a crafted URL via the SAMLProviderConfig endpoint, which is then directly processed by requests.get() without proper validation such as scheme restrictions, IP filtering, or timeout enforcement. This flaw allows the server to make arbitrary outbound HTTP requests, enabling attackers to access internal services, probe private network infrastructure, and retrieve cloud metadata credentials from environments like AWS, GCP, or Azure. Successful exploitation could lead to exposure of sensitive internal APIs, credential theft, and potential compromise of underlying cloud infrastructure, provided the attacker has Enterprise Admin privileges within a configured SAML-enabled enterprise deployment.[emaillocker id="1283"]

RECOMMENDATION:

We strongly recommend you update edx-enterprise to below version: https://github.com/openedx/edx-enterprise/releases

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-64cv-vxpr-j6vc

[/emaillocker]
crossmenu