AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2024-41806: The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information

mediumvulnerability

security

Source: NVD/CVE DatabaseJuly 25, 2024CVE-2024-41806

Summary

Open edX is a learning management platform (software that manages courses and students) where instructors upload CSV files (spreadsheet files with student data) to create student groups called cohorts. In certain versions, these uploaded files could become publicly accessible on AWS S3 buckets (cloud storage), exposing sensitive learner information to anyone on the internet.

Solution / Mitigation

The patch in commit cb729a3ced0404736dfa0ae768526c82b608657b ensures that cohorts data uploaded to AWS S3 buckets is written with a private ACL (access control list, which controls who can view files). Beyond patching, deployers should also ensure that existing cohorts uploads have a private ACL, or that other precautions are taken to avoid public access.

Vulnerability Details

CVSS Score

5.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationTrivial

Impact (CIA+S)

confidentiality

Taxonomy References

CWE (Weakness Type)

CWE-284

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-41806

First tracked: February 15, 2026 at 08:37 PM

Classified by LLM (prompt v3) · confidence: 65%