CVE-2026-25221 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the PolarLearn open-source learning platform, specifically in versions up to v0-PRERELEASE-15. The flaw resides in the OAuth 2.0 authentication flow for GitHub and Google login providers, where the application fails to implement or verify the 'state' parameter—a critical anti-CSRF mechanism designed to bind the authentication request to the user’s session. Without this verification, an attacker can craft a malicious link or webpage that causes a victim to unknowingly authenticate into the attacker’s account on PolarLearn. This attack vector is known as Login CSRF. The impact is that any data the victim inputs, including academic progress or personal information, is recorded under the attacker’s account, leading to data loss for the victim and potential information disclosure to the attacker. The vulnerability does not require the attacker to have prior authentication and requires user interaction (clicking a malicious link). The CVSS 4.0 base score is 2.3, reflecting low severity due to limited impact on confidentiality and availability but some impact on integrity and user trust. No known exploits have been reported, and no official patches have been released as of the publication date. The vulnerability is categorized under CWE-352, which covers CSRF issues. This vulnerability highlights the importance of proper OAuth state parameter implementation to prevent session fixation and CSRF attacks in web applications.

For European organizations, especially educational institutions and e-learning providers using PolarLearn, this vulnerability can lead to significant data integrity issues. Victims may unknowingly lose control over their academic progress and personal data, which is instead stored in an attacker-controlled account. This can disrupt learning continuity and compromise user trust in the platform. Although the confidentiality impact is limited to data entered post-login, the integrity of academic records is compromised, which may affect grading, certification, or compliance with educational standards. The attack requires user interaction but no authentication, making it feasible through phishing or malicious websites. While availability is not directly impacted, the loss of data control and potential information disclosure can have reputational and operational consequences. Given the low CVSS score, the threat is not critical but should not be ignored, particularly in environments with sensitive academic data or where user trust is paramount.

To mitigate this vulnerability, organizations using PolarLearn should: 1) Update the OAuth 2.0 implementation to correctly generate, include, and verify the 'state' parameter during the authentication flow to prevent CSRF attacks. 2) If an official patch or updated version becomes available, apply it promptly. 3) Educate users about the risks of clicking unsolicited links, especially those related to login or authentication processes. 4) Implement additional security controls such as Content Security Policy (CSP) and SameSite cookies to reduce CSRF risks. 5) Monitor user accounts for suspicious activity that may indicate login CSRF exploitation. 6) Consider multi-factor authentication (MFA) where possible to add an additional layer of security, although it may not fully prevent this specific attack. 7) Conduct security reviews of third-party OAuth integrations to ensure compliance with best practices.