PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35404 Openedx CVE debrief

CVE-2026-35404 is an Open edX Platform open redirect vulnerability in the view_survey endpoint. According to the NVD record and GitHub security advisory, the endpoint accepts a redirect_url GET parameter and passes it directly to HttpResponseRedirect() without URL validation. When a survey name does not exist, the server can immediately return an HTTP 302 redirect to an attacker-controlled URL. The same unvalidated URL is also reflected into a hidden form field and into a JSON response after form submission, where client-side JavaScript performs location.href = url. The practical security concern is phishing and credential theft against authenticated Open edX users. The issue is assigned CVSS 3.1 4.7 (MEDIUM) and was published on 2026-04-06; a fix is referenced in Open edX commit 76462f1e5fa9b37d2621ad7ad19514b403908970.

Vendor
Openedx
Product
CVE-2026-35404
CVSS
MEDIUM 4.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-06
Original CVE updated
2026-05-11
Advisory published
2026-04-06
Advisory updated
2026-05-11

Who should care

Open edX administrators, SaaS operators, security teams, and anyone running user-facing learning portals should care most, especially if the survey view is reachable by authenticated users. Teams that rely on Open edX for logins, account linking, or branded trust should treat this as a phishing-risk issue even though it is not a code-execution flaw.

Technical summary

The vulnerability is an unvalidated redirect in the view_survey endpoint. The supplied CVE description states that redirect_url is accepted from the query string and passed directly to HttpResponseRedirect() with no URL validation. If the requested survey name does not exist, the application issues an immediate 302 redirect to the supplied URL. The same value is also embedded in a hidden form field and returned in a JSON response after form submission; in that flow, client-side JavaScript sets location.href = url. The weakness maps to CWE-601 and is reflected in the advisory metadata. The NVD record lists affected Open edX versions up to and including 2026-04-02.

Defensive priority

Medium. This is not a remote code execution issue, but it can be used to redirect authenticated users to attacker-controlled destinations and support phishing or credential theft. Prioritize remediation if the survey feature is exposed to users or if your deployment relies on user trust in in-app redirects.

Recommended defensive actions

  • Apply the Open edX fix referenced by commit 76462f1e5fa9b37d2621ad7ad19514b403908970 or deploy a release that includes it.
  • Review any custom code or reverse-proxy rules that pass user-controlled redirect targets into Open edX endpoints.
  • Add server-side validation or allowlisting for redirect destinations; do not trust redirect_url from the client.
  • Audit the view_survey flow and any related front-end JavaScript for trust in hidden fields or JSON-returned URLs.
  • Monitor for unusual redirect patterns and user reports of unexpected navigation to external domains.
  • If immediate patching is not possible, restrict exposure to the affected survey functionality and communicate phishing risk to users.

Evidence notes

This debrief is based on the supplied CVE description and the official NVD modified record. The NVD metadata cites GitHub Security Advisory GHSA-2843-x998-f8r2 and the patch commit 76462f1e5fa9b37d2621ad7ad19514b403908970. The record also lists CWE-601 and a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N. The timeline and disclosure date used here are the CVE published and modified timestamps provided in the corpus.

Official resources

CVE published on 2026-04-06 and modified on 2026-05-11, per the supplied CVE timeline. The advisory metadata references a vendor fix commit and a GitHub Security Advisory.