Auth bypass in Polarnl Polarlearn

CVE-2026-39322

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authe…

Vulnerability class: Broken Authentication

EPSS: 0.001 (17.7th percentile) — read the EPSS interpretation.

Affected products

Polarnl Polarlearn — versions <= v0-PRERELEASE-15

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/polarnl/PolarLearn/security/advisories/GHSA-9vx4-7ww7-4cf5 (x_refsource_CONFIRM)