Skip to content

fix: apply upstream security patch to remove activation_key exposure from account API#1366

Merged
ahmed-arb merged 2 commits intooverhangio:releasefrom
eduNEXT:sgb/activation-key-security-backport
Apr 17, 2026
Merged

fix: apply upstream security patch to remove activation_key exposure from account API#1366
ahmed-arb merged 2 commits intooverhangio:releasefrom
eduNEXT:sgb/activation-key-security-backport

Conversation

@Gi-ron
Copy link
Copy Markdown
Contributor

@Gi-ron Gi-ron commented Apr 9, 2026

Description

This PR applies an upstream security fix from Open edX by backporting the following commit into the Tutor Open edX Docker image, which removes the activation_key field from the /api/user/v1/accounts/{username} response to prevent a vulnerability where attackers could bypass email verification by combining OAuth2 password grant access for inactive users with direct account activation:

openedx/openedx-platform@21cead2

This issue is part of the security advisory discussed here:
https://discuss.openedx.org/t/security-upcoming-security-release-for-openedx-platform-2026-03-27/18655

This PR is proposed because the fix is not yet included in an official Open edX Ulmo release used by Tutor. Applying it at build time ensures that Tutor deployments are protected until the fix is available upstream in a stable release.

@Gi-ron Gi-ron force-pushed the sgb/activation-key-security-backport branch from fd4b8d9 to fd339b1 Compare April 10, 2026 14:16
@Gi-ron
Copy link
Copy Markdown
Contributor Author

Gi-ron commented Apr 10, 2026

@regisb could you please take a look at this security backport?

@ahmed-arb
Copy link
Copy Markdown
Collaborator

Thank you @Gi-ron, could you please verify if you have tested image builds with this patch?

@ahmed-arb ahmed-arb moved this from Pending Triage to In review in Tutor project management Apr 14, 2026
@Gi-ron
Copy link
Copy Markdown
Contributor Author

Gi-ron commented Apr 15, 2026

@ahmed-arb Yes I have tested the image builds with this patch and everything is working correctly. No issues found.

@ahmed-arb
Copy link
Copy Markdown
Collaborator

Okay, merging it then.

@ahmed-arb ahmed-arb merged commit be332ff into overhangio:release Apr 17, 2026
2 checks passed
@github-project-automation github-project-automation bot moved this from In review to Done in Tutor project management Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

3 participants