PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56877 Skillable CVE debrief

CVE-2026-56877 is a vulnerability in the SCORM lab launch endpoint of Skillable (formerly Learn on Demand Systems). The endpoint fails to validate the client-supplied userId parameter against the authenticated SCORM session token. This allows an authenticated user to bypass per-user lab launch rate limits and consume other users' lab allocations, potentially leading to denial of service against targeted users' lab and exam access.

Vendor
Skillable
Product
SCORM Lab Launch Integration
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Administrators and users of Skillable's SCORM lab launch endpoint should be aware of this vulnerability. Successful exploitation could result in denial of service against targeted users, impacting their lab and exam access.

Technical summary

The SCORM lab launch endpoint in Skillable through 2026-07-13 does not validate the client-supplied userId parameter against the authenticated SCORM session token. An authenticated user can substitute arbitrary userId values to bypass per-user lab launch rate limits and consume other users' lab allocations, resulting in denial of service against targeted users' lab and exam access. This issue affects Skillable, formerly known as Learn on Demand Systems, and successful exploitation could lead to lab and exam access denial for targeted users.

Defensive priority

Medium priority should be given to patching or mitigating this vulnerability, as it could lead to denial of service attacks against users of the affected endpoint.

Recommended defensive actions

  • Apply the vendor's patch or update to a version that validates the userId parameter against the authenticated SCORM session token.
  • Implement rate limiting and monitoring to detect and prevent potential abuse.
  • Review and update access controls to ensure that lab allocations are properly managed and secured.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-13T22:16:48.133Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The vulnerability has a CVSS score of 6.3 and a severity of MEDIUM.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T22:16:48.133Z and has not been modified since then. The NVD entry is currently in the 'Received' status.