OpenOlat’s failure to cryptographically verify JWT signatures allows unauthenticated attackers to forge identity tokens and gain unauthorized access to the e-learning platform.

The OpenID Connect implementation in OpenOlat incorrectly parses JWTs by discarding the signature segment without verification. Because the getAccessToken() method only validates non-cryptographic claims like audience and issuer, an unauthenticated attacker can craft a malicious JWT that the system accepts as valid.

This flaw effectively nullifies the security of the OpenID Connect authentication mechanism, leading to potential widespread account takeovers and unauthorized access to sensitive educational data. The CVSS score of 9.8 underscores the critical nature of this authentication bypass, which threatens the privacy of students and staff and the overall integrity of the platform.

Immediate Action: Upgrade OpenOlat installations to version 20.2.5 or higher, which introduces mandatory cryptographic signature verification against the Identity Provider's JWKS endpoint.

Proactive Monitoring: Audit authentication logs for unusual login patterns or JWTs lacking standard headers, and monitor for unauthorized access to administrative or privileged user accounts.

Compensating Controls: If an immediate update is not possible, consider temporarily disabling OIDC implicit flow or enforcing secondary authentication factors where applicable.

Public Exploit Available: No

The absence of signature verification is a fundamental security failure in any OIDC implementation. Administrators must treat this as a top-priority security event and apply the 20.2.5 patch immediately to ensure that only authenticated, verified users can access the system.