CVE-2026-42860
Open edX · edx-enterprise
A Server-Side Request Forgery (SSRF) vulnerability in the Open edX Enterprise Service app allows authenticated users to send unauthorized requests to internal services.
Executive summary
An SSRF vulnerability in the Open edX Enterprise Service application allows authenticated users to access internal resources, necessitating an update to version 7.0.5.
Vulnerability
The application is susceptible to a Server-Side Request Forgery (CWE-918) vulnerability, which allows an authenticated user to coerce the server into making unauthorized requests to internal or external destinations.
Business impact
This vulnerability could allow an attacker to probe internal network infrastructure, potentially bypassing firewalls and accessing sensitive internal services that are not exposed to the public internet. Given the CVSS score of 8.5, this represents a significant risk of lateral movement and information disclosure.
Remediation
Immediate Action: Update the edx-enterprise package to version 7.0.5 or later via PyPI.
Proactive Monitoring: Monitor egress traffic from the application server for unusual connections to internal IP addresses or sensitive network ports.
Compensating Controls: Use network segmentation and strict egress filtering to prevent the application server from initiating unauthorized connections to internal network segments.
Exploitation status
Public Exploit Available: No (No confirmed public weaponized exploit exists in available data).
Analyst recommendation
SSRF vulnerabilities are frequently used as a gateway for deeper network penetration. Security teams should prioritize patching the edx-enterprise service and ensuring that the application server operates with the principle of least privilege regarding network connectivity.