Hello Open edX Security Working Group,
I am writing to report a security vulnerability I discovered in the Open
edX platform during an authorized security assessment.
The vulnerability allows an unauthenticated attacker to fully bypass the
email verification process by combining two issues: the OAuth2 password
grant issuing tokens to inactive users (documented behavior) and the
activation_key being exposed in the REST API response at
/api/user/v1/accounts/.
Please find attached:
- report-openedx-activation-key-leak.pdf: Full vulnerability report with
detailed reproduction steps and links to vulnerable code.
- poc-openedx-activation-bypass.py: Standalone proof-of-concept script
(stdlib-only Python, no external dependencies).
Tested on Open edX Sumac (Tutor deployment). Likely affects other
releases where the account serializer includes the activation_key field.
I am available for any questions or additional information you may need.
Best regards,
Daniel Baillo
poc-openedx-activation-bypass.py
report-openedx-activation-key-leak.pdf
dabaes Reporter
feanil Remediation developer
kdmccormick Remediation reviewer
Hello Open edX Security Working Group,
I am writing to report a security vulnerability I discovered in the Open
edX platform during an authorized security assessment.
The vulnerability allows an unauthenticated attacker to fully bypass the
email verification process by combining two issues: the OAuth2 password
grant issuing tokens to inactive users (documented behavior) and the
activation_key being exposed in the REST API response at
/api/user/v1/accounts/.
Please find attached:
detailed reproduction steps and links to vulnerable code.
(stdlib-only Python, no external dependencies).
Tested on Open edX Sumac (Tutor deployment). Likely affects other
releases where the account serializer includes the activation_key field.
I am available for any questions or additional information you may need.
Best regards,
Daniel Baillo
poc-openedx-activation-bypass.py
report-openedx-activation-key-leak.pdf