PatchSiren cyber security CVE debrief
CVE-2026-56877 Skillable CVE debrief
CVE-2026-56877 is a vulnerability in the SCORM lab launch endpoint of Skillable (formerly Learn on Demand Systems). The endpoint fails to validate the client-supplied userId parameter against the authenticated SCORM session token. This allows an authenticated user to bypass per-user lab launch rate limits and consume other users' lab allocations, potentially leading to denial of service against targeted users' lab and exam access.
- Vendor
- Skillable
- Product
- SCORM Lab Launch Integration
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Administrators and users of Skillable's SCORM lab launch endpoint should be aware of this vulnerability. Successful exploitation could result in denial of service against targeted users, impacting their lab and exam access.
Technical summary
The SCORM lab launch endpoint in Skillable through 2026-07-13 does not validate the client-supplied userId parameter against the authenticated SCORM session token. An authenticated user can substitute arbitrary userId values to bypass per-user lab launch rate limits and consume other users' lab allocations, resulting in denial of service against targeted users' lab and exam access. This issue affects Skillable, formerly known as Learn on Demand Systems, and successful exploitation could lead to lab and exam access denial for targeted users.
Defensive priority
Medium priority should be given to patching or mitigating this vulnerability, as it could lead to denial of service attacks against users of the affected endpoint.
Recommended defensive actions
- Apply the vendor's patch or update to a version that validates the userId parameter against the authenticated SCORM session token.
- Implement rate limiting and monitoring to detect and prevent potential abuse.
- Review and update access controls to ensure that lab allocations are properly managed and secured.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-13T22:16:48.133Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The vulnerability has a CVSS score of 6.3 and a severity of MEDIUM.
Official resources
-
CVE-2026-56877 CVE record
CVE.org
-
CVE-2026-56877 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T22:16:48.133Z and has not been modified since then. The NVD entry is currently in the 'Received' status.