CVE-2026-35404 MEDIUM

CVE-2026-35404: Open edX Platform has an Open Redirect in Survey Views via Unvalidated redirect_url Parameter

Vendor Openedx

Product openedx-platform

Weakness CWE-601 · Open redirect

Published April 6, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

4.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Open edX Platform enables the authoring and delivery of online learning at any scale. The view_survey endpoint accepts a redirect_url GET parameter that is passed directly to HttpResponseRedirect() without any URL validation. When a non-existent survey name is provided, the server issues an immediate HTTP 302 redirect to the attacker-controlled URL. Additionally, the same unvalidated URL is embedded in a hidden form field and returned in a JSON response after form submission, where client-side JavaScript performs location.href = url. This enables phishing and credential theft attacks against authenticated Open edX users. This vulnerability is fixed with commit 76462f1e5fa9b37d2621ad7ad19514b403908970.

Key dates

02Disclosure timeline

April 6, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-35404 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/601.html

Related vulnerabilities

Identifiers

CVE CVE-2026-35404

CWE CWE-601

CVSS 4.7 / MEDIUM

Affected versions