Open edX Enterprise Service Vulnerability Allows SSRF via SAML Metadata

/HIGH /CVSS 8.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-918
Open edX Enterprise Service Vulnerability Allows SSRF via SAML Metadata

The National Vulnerability Database has disclosed CVE-2026-42860, a high-severity Server-Side Request Forgery (SSRF) vulnerability in the Open edX Enterprise Service application, affecting versions 7.0.2 through 7.0.4. This flaw resides in the sync_provider_data endpoint within SAMLProviderDataViewSet, which is responsible for fetching SAML metadata.

An authenticated user with the Enterprise Admin role can exploit this by manipulating the metadata_source field in SAMLProviderConfig via a PATCH request to SAMLProviderConfigViewSet. This allows them to set an arbitrary URL. Subsequently, triggering the sync_provider_data endpoint causes the application to make an unvalidated HTTP request to the attacker-controlled URL. The fetch_metadata_xml() function passes this URL directly to requests.get() without any scheme enforcement, IP filtering, or timeout, making it a prime vector for SSRF attacks.

This vulnerability, rated 8.5 CVSS, allows an attacker to potentially access internal network resources, query cloud metadata APIs, or trigger other internal services. The fix is available in version 7.0.5. Organizations running affected Open edX Enterprise Service instances are at significant risk if an attacker gains Enterprise Admin credentials.

What This Means For You

  • If your organization uses Open edX Enterprise Service, specifically versions 7.0.2 to 7.0.4, you are exposed to a critical SSRF vulnerability (CVE-2026-42860). You must immediately patch to version 7.0.5 or higher. Review your Enterprise Admin accounts for any suspicious activity and ensure robust access controls are in place for these highly privileged roles. An attacker with this access can pivot deep into your network.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1071.001 Web Protocols Command and Control T1571 Non-Standard Port Command and Control

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-42860 - Open edX Enterprise Service SSRF via SAML Metadata Sync

Sigma YAML — free preview 
title: CVE-2026-42860 - Open edX Enterprise Service SSRF via SAML Metadata Sync
id: scw-2026-05-11-ai-1
status: experimental
level: high
description: |
  Detects an authenticated user with Enterprise Admin role attempting to exploit CVE-2026-42860 by updating the SAML metadata source URL via the PATCH endpoint on /api/saml_provider_data/ and then triggering the sync_provider_data endpoint. This is the primary vector for the SSRF vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42860/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/api/saml_provider_data/'
      cs-method:
          - 'PATCH'
      cs-uri-query|contains:
          - 'sync_provider_data'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42860 SSRF Open edX Enterprise Service app versions 7.0.2 to 7.0.4
CVE-2026-42860 SSRF Vulnerable endpoint: SAMLProviderDataViewSet.sync_provider_data
CVE-2026-42860 SSRF Vulnerable parameter: SAMLProviderConfig.metadata_source via SAMLProviderConfigViewSet PATCH endpoint
CVE-2026-42860 SSRF Affected function: fetch_metadata_xml() passing URL to requests.get() without validation

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 11, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability

CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....

vulnerabilityCVEhigh-severityauthentication-bypasscwe-287cwe-288
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8320 — Jishenghua JshERP Server-Side Request Forgery

CVE-2026-8320 — A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recall_relevant_memories_to_working_memory of the file core/cat/looking_glass/stray_cat.py...

vulnerabilityCVEmedium-severitycwe-400cwe-404
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 2 Sigma