CVE-2025-68270
📋 TL;DR
This vulnerability in Open edX Platform allows CourseLimitedStaffRole users to access and edit courses in Studio when granted organization-level permissions instead of course-level permissions. Users with this role can list courses they shouldn't have access to, bypassing intended access controls. All Open edX deployments using affected versions are vulnerable.
💻 Affected Systems
- Open edX Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could modify course content, alter grades, access sensitive student data, or disrupt learning operations across multiple courses within an organization.
Likely Case
Users with limited staff roles could access courses they shouldn't, potentially viewing or modifying content beyond their authorized scope.
If Mitigated
With proper role-based access controls and monitoring, unauthorized access attempts would be detected and prevented before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated user with CourseLimitedStaffRole at organization level. The vulnerability is straightforward to exploit once the role is granted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 05d0d0936daf82c476617257aa6c35f0cd4ca060
Vendor Advisory: https://github.com/openedx/edx-platform/security/advisories/GHSA-rh64-vc2h-7wfj
Restart Required: Yes
Instructions:
1. Update to latest Open edX version containing commit 05d0d0936daf82c476617257aa6c35f0cd4ca060
2. Apply the fix via pull request #37772 or #37773
3. Restart all Open edX services
4. Verify role permissions are correctly applied
🔧 Temporary Workarounds
Remove Organization-Level CourseLimitedStaffRole
allTemporarily remove CourseLimitedStaffRole assignments at organization level and only grant at course level where needed.
# Use Open edX admin interface to review and modify role assignments
# Check current assignments: SELECT * FROM auth_user_role WHERE role='CourseLimitedStaffRole'
🧯 If You Can't Patch
- Audit all CourseLimitedStaffRole assignments and ensure they are only granted at course level, not organization level
- Implement additional monitoring and alerting for unauthorized course access attempts in Studio
🔍 How to Verify
Check if Vulnerable:
Check if your Open edX version includes commit 05d0d0936daf82c476617257aa6c35f0cd4ca060. If not, test if CourseLimitedStaffRole users can access courses in Studio when granted at organization level.Check Version:
git log --oneline | grep 05d0d0936daf82c476617257aa6c35f0cd4ca060Verify Fix Applied:
After patching, verify that CourseLimitedStaffRole users cannot access or list courses in Studio when granted organization-level permissions.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /studio/ endpoints by CourseLimitedStaffRole users
- Course listing requests from users with limited permissions
Network Indicators:
- HTTP 200/403 responses to Studio API endpoints from unauthorized users
SIEM Query:
source="openedx" AND (uri_path="/studio/" OR user_role="CourseLimitedStaffRole") AND (http_status=200 OR action="list_courses")