CVE-2026-25885 identifies a critical improper authorization vulnerability (CWE-285) in the PolarLearn open-source learning platform, specifically affecting versions earlier than 0-PRERELEASE-16. The issue resides in the group chat WebSocket endpoint (wss://polarlearn.nl/api/v1/ws), which does not enforce authentication or authorization checks. An unauthenticated attacker can connect to this WebSocket and subscribe to any group chat by providing the group's UUID, effectively gaining read access to chat messages. Moreover, the attacker can send messages to any group chat, which the server accepts and stores persistently in the group’s chatContent. This means the attacker can inject arbitrary messages, potentially spreading misinformation, disrupting communication, or conducting social engineering attacks. The vulnerability impacts confidentiality (unauthorized read access), integrity (unauthorized message injection), and availability (potential spam or denial of service through message flooding). The CVSS 4.0 vector indicates network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability, resulting in a maximum score of 10. No patches or exploits are currently reported, but the vulnerability's nature makes it highly exploitable. The root cause is a lack of proper authorization and authentication controls on the WebSocket API, violating secure design principles for access control in real-time communication systems.

For European organizations, especially educational institutions and training providers using PolarLearn, this vulnerability poses significant risks. Unauthorized access to group chats can lead to leakage of sensitive discussions, exposing personal data or intellectual property. The ability to inject messages undermines the integrity of communications, potentially causing misinformation, reputational damage, or manipulation of collaborative learning environments. Persistent storage of unauthorized messages can complicate incident response and forensic analysis. Additionally, attackers could disrupt normal operations by spamming group chats, impacting availability and user trust. Given the critical CVSS score and ease of exploitation, organizations face a high risk of data breaches and operational disruption. The impact is exacerbated in sectors with strict data protection regulations such as GDPR, where unauthorized data exposure can lead to legal and financial penalties.

Immediate mitigation involves upgrading PolarLearn to a version later than 0-PRERELEASE-16 once a patch is released that enforces proper authentication and authorization on the WebSocket endpoint. Until then, organizations should implement network-level controls such as firewall rules or Web Application Firewalls (WAFs) to restrict access to the WebSocket URL to authenticated users or trusted IP ranges. Deploying reverse proxies that enforce authentication tokens or session validation before allowing WebSocket connections can also reduce exposure. Monitoring WebSocket traffic for unusual subscription patterns or message injection attempts is recommended to detect exploitation attempts early. Additionally, organizations should review and sanitize stored chat content to remove unauthorized messages and consider implementing logging and alerting for WebSocket activity. User education about potential misinformation and suspicious messages can help mitigate social engineering risks. Finally, engaging with the PolarLearn community or vendor for timely updates and patches is critical.