Open edX Platform SSRF via Unvalidated URL Parameter (CVE-2026-42858)

/HIGH /CVSS 8.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-918
Open edX Platform SSRF via Unvalidated URL Parameter (CVE-2026-42858)

The National Vulnerability Database reports a high-severity Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-42858, in the Open edX Platform. This flaw allows an authenticated Enterprise Admin user to force the server to initiate arbitrary HTTP requests to internal network services, cloud metadata endpoints, or attacker-controlled destinations.

The vulnerability resides in the sync_provider_data endpoint within SAMLProviderDataViewSet. According to the National Vulnerability Database, an attacker can supply an unvalidated URL via the metadata_url POST parameter. This URL is then passed directly to requests.get() without any validation of the URL scheme, IP filtering, or general sanitization. This critical oversight grants a malicious actor the ability to probe internal infrastructure, potentially exfiltrate sensitive cloud metadata (e.g., AWS EC2 instance metadata), or leverage the server as a proxy for further attacks.

Open edX users with Enterprise Admin privileges are the attack vector. While the vulnerability requires authentication, the impact of an SSRF at this level is significant. The National Vulnerability Database indicates the issue is fixed by commits 6fda1f120ff5a590d120ae1180185525f399c6d0 and 70a56246dd9c9df57c596e64bdd8a11b1d9da054. Defenders need to prioritize patching to mitigate the risk of internal network reconnaissance and data exfiltration.

What This Means For You

  • If your organization uses Open edX Platform, you must immediately verify that your deployments are patched with the fixes for CVE-2026-42858. An attacker with Enterprise Admin access can leverage this SSRF to map your internal network, access cloud metadata, and potentially move laterally. Audit logs for suspicious requests originating from your Open edX instances.

Related ATT&CK Techniques

T1071.001 Web Protocol Lateral Movement T1557.001 Man-in-the-Browser Lateral Movement T1046 Network Service Scanning Discovery

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1557.001 Lateral Movement

Open edX SSRF via sync_provider_data endpoint - CVE-2026-42858

Sigma YAML — free preview 
title: Open edX SSRF via sync_provider_data endpoint - CVE-2026-42858
id: scw-2026-05-11-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-42858 by targeting the sync_provider_data endpoint with a POST request. The rule specifically looks for the 'metadata_url' parameter containing a request to the AWS metadata endpoint (169.254.169.254), a common target for SSRF attacks to exfiltrate cloud credentials. This rule requires authenticated Enterprise Admin privileges to exploit.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42858/
tags:
  - attack.lateral_movement
  - attack.t1557.001
logsource:
    category: webserver
detection:
  selection:
      cs-uri|startswith:
          - '/api/saml/v1/samlproviderdata/'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - 'metadata_url='
  selection_indicators:
      cs-uri-query|contains:
          - 'http://169.254.169.254'
  condition: selection AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42858 SSRF Open edX Platform
CVE-2026-42858 SSRF Vulnerable endpoint: sync_provider_data in SAMLProviderDataViewSet
CVE-2026-42858 SSRF Vulnerable parameter: metadata_url POST parameter
CVE-2026-42858 SSRF Affected function: fetch_metadata_xml() using requests.get()
CVE-2026-42858 SSRF Fixed by commits: 6fda1f120ff5a590d120ae1180185525f399c6d0, 70a56246dd9c9df57c596e64bdd8a11b1d9da054

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 11, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability

CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....

vulnerabilityCVEhigh-severityauthentication-bypasscwe-287cwe-288
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8320 — Jishenghua JshERP Server-Side Request Forgery

CVE-2026-8320 — A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recall_relevant_memories_to_working_memory of the file core/cat/looking_glass/stray_cat.py...

vulnerabilityCVEmedium-severitycwe-400cwe-404
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 2 Sigma