CVE-2025-68270 CRITICAL

CVE-2025-68270: CourseLimitedStaff Role Allows Studio Access

Vendor Openedx
Product edx-platform
Weakness CWE-862 · Missing authorization
Published December 16, 2025
Last update December 16, 2025
View on NVD All CVEs

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

The Open edX Platform is a learning management platform. Prior to commit 05d0d0936daf82c476617257aa6c35f0cd4ca060, CourseLimitedStaffRole users are able to access and edit courses in studio if they are granted the role on an org rather than on a course, and CourseLimitedStaffRole users are able to list courses they have the role on in studio even though they are not meant to have any access on the studio side for the course. Commit 05d0d0936daf82c476617257aa6c35f0cd4ca060 fixes the issue.

Key dates

02Disclosure timeline

December 16, 2025 CVE published
December 16, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-1337 SKT Page Builder <= 4.1 - Missing Authorization to Authenticated(Subscriber+) Content Injection CVE-2024-33558 WordPress XStore Core plugin <= 5.3.5 - Limited Arbitrary File Download vulnerability CVE-2026-24627 WordPress Trusona for WordPress plugin <= 2.0.0 - Broken Access Control vulnerability CVE-2026-42083 free5GC: PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI CVE-2024-31304 WordPress MultiVendorX Marketplace <= 4.1.3 - Broken Access Control vulnerability