CVE-2026-14778: Improper Authorization in SourceCodester LMS
| Field | Value |
|---|---|
| CVE ID | CVE-2026-14778 |
| CVSS score | 7.3 High |
| Attack vector | Remote |
| Auth required | Yes, authenticated user |
| Patch status | No official patch or fixed version identified as of 2026-07-06 |
TL;DR - CVE-2026-14778 is an IDOR and improper authorization flaw in
/ajax_enroll.php. - SourceCodester Online Examination & Learning Management System 1.0 is affected. - Public exploit details exist, but no confirmed CISA KEV listing or official fix is known.
Vulnerability at a glance
CVE-2026-14778 is an improper authorization issue, commonly described as an insecure direct object reference or IDOR, in SourceCodester Online Examination & Learning Management System. The vulnerable component is the enrollment management endpoint /ajax_enroll.php, where attacker-controlled parameters such as student_id, schedule_id, and action can allegedly be modified without adequate server-side authorization checks.
For defenders, the practical impact is straightforward: a logged-in user may be able to perform enrollment actions against records that do not belong to them. This is not just a theoretical weakness. The NVD entry states that public exploit details have been disclosed, and the public writeup describes request-level abuse using ordinary authenticated access. That combination makes this issue more urgent than an obscure bug with no exploit path.
What is this vulnerability?
At its core, this CVE appears to be a missing authorization check on a state-changing backend endpoint. The issue is not that the application fails to authenticate users entirely. Instead, it appears to trust that any authenticated user reaching /ajax_enroll.php is allowed to act on any supplied student_id or schedule_id. That is the hallmark of an IDOR: direct reference to an object identifier without proper access control validation.
The public writeup also notes missing CSRF protections on the same endpoint. That matters because it broadens the abuse path. If the authorization flaw allows an authenticated user to alter enrollment records, and CSRF protections are absent, an attacker may be able to trigger those actions through a malicious page visited by a logged-in victim. Even if you view the CSRF aspect as secondary to the main CVE, it raises operational risk because unauthorized enrollment changes may occur without the victim intentionally interacting with the application’s enrollment UI.
Who is affected?
The confirmed affected version, based on the available sources, is SourceCodester Online Examination & Learning Management System 1.0. The NVD description contains a product-name typo, listing “Onlne Examination & Learning Management System,” but NVD itself notes that the product name appears to contain a typo. Public exploit material and SourceCodester references support normalizing the name to Online Examination & Learning Management System.
At this time, there is no verified evidence in the provided sources that versions other than 1.0 are affected or fixed. Defenders should therefore avoid assuming either broader impact or safe later builds unless they have directly tested their deployment or obtained code-level confirmation. If your environment runs a customized fork, repackaged copy, or derivative of this SourceCodester application, you should assume potential exposure if the codebase includes the same /ajax_enroll.php logic.
| Product | Affected versions | Fixed version |
|---|---|---|
| SourceCodester Online Examination & Learning Management System | 1.0 | Unknown. No official fixed version identified |
CVSS Score and Severity Context
The published CVSS base score is 7.3 High. The NVD-derived research note confirms the score, but the full vector string was not available in the supplied material. Because the vector is unknown from the retrieved data, defenders should not over-interpret submetrics such as attack complexity or confidentiality impact beyond what the public description supports.
Even without the full vector string, the severity makes sense operationally. This is a remotely reachable web flaw that requires authentication but can alter enrollment records across authorization boundaries. In many educational environments, enrollment state drives course access, scheduling, attendance tracking, and downstream reporting. That means integrity impact can be substantial even if the bug does not directly expose arbitrary code execution or database takeover.
Exploitation Status
Public exploit details are available. The NVD description explicitly states that the exploit has been disclosed publicly and may be used, and the referenced GitHub writeup provides a concrete abuse path for the vulnerable endpoint. Based on the available evidence, you should treat this as a vulnerability with a known, documented exploitation method rather than a vague advisory.
At the same time, confirmed in-the-wild exploitation is not established from the supplied sources. CISA KEV lookup indicates that CVE-2026-14778 is not currently listed in the Known Exploited Vulnerabilities catalog. That does not prove absence of exploitation. It only means there is no confirmed KEV status in the available data. In practice, defenders should assume opportunistic abuse is plausible because public exploit details exist and the vulnerable endpoint appears simple to reach with an authenticated session.
Technical Notes
The public writeup describes abuse of:
POST /ajax_enroll.php- Parameters:
student_idschedule_idaction
A representative request pattern from the described behavior would look like:
POST /ajax_enroll.php HTTP/1.1
Host: target.example
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=valid-session-id
student_id=12&schedule_id=7&action=enroll
Defenders should note the key risk indicator here: the actor is authenticated, but the supplied student_id may not correspond to the current session user.
What Defenders Should Do Next
Start by inventorying whether your organization runs SourceCodester Online Examination & Learning Management System 1.0 or a customized derivative. Because the product name appears inconsistently in public references, search both “Online” and the typo variant “Onlne” in asset records, deployment notes, and downloaded package names. If you find the platform, verify whether /ajax_enroll.php exists and whether enrollment actions are exposed to ordinary authenticated users.
Next, treat this as a likely-to-be-abused web authorization issue rather than waiting for formal exploitation confirmation. Hunt historical logs for suspicious enrollment changes, add monitoring around the endpoint, and implement either code fixes or compensating restrictions immediately. Since no official fixed version is currently known, your risk decision should be based on exposure, user population, and the sensitivity of enrollment integrity in your environment.
For more information on securing your systems, refer to our articles on VPN vs. Zero Trust Network Access and What is SIEM? A Practitioner’s Definition.
How to Detect Potential Exploitation
Detection should focus on two questions: who is calling /ajax_enroll.php, and are they modifying records outside their expected authority? Because this is an authorization flaw, simple request counting is not enough. You need correlation between the authenticated session identity and the student_id or enrollment target in the request. If your application logs do not currently record both values, that is an immediate visibility gap worth fixing.
You should also look for unusual sequences such as repeated enrollment changes across multiple student IDs from a single user account, especially student-role accounts. In a typical educational workflow, a student account should not submit rapid-fire actions for many different student_id values. Even if role data is missing in the logs, a burst of POST requests to /ajax_enroll.php with alternating student_id and action values is suspicious enough to investigate.
Technical Notes
Example web log pattern to search for:
POST /ajax_enroll.php student_id=*&schedule_id=*&action=*
If your reverse proxy or application logs POST bodies, a basic grep can help triage:
grep -R "ajax_enroll.php" /var/log/nginx /var/log/apache2 /var/log/httpd 2>/dev/null
A more targeted hunt for parameterized enrollment changes:
grep -R -E "POST .*ajax_enroll\.php|student_id=|schedule_id=|action=" /var/log/nginx /var/log/apache2 /var/log/httpd 2>/dev/null
Example Splunk query:
index=web_logs ("POST /ajax_enroll.php" OR uri_path="/ajax_enroll.php")
| rex field=request_body "student_id=(?<student_id>\d+)"
| rex field=request_body "schedule_id=(?<schedule_id>\d+)"
| rex field=request_body "action=(?<action>[A-Za-z_]+)"
| stats count dc(student_id) as distinct_students values(action) as actions by src_ip, user, session_id
| where distinct_students > 3
Example Sigma-style logic concept for SIEM translation:
title: Suspicious Access to ajax_enroll.php With Multiple Student Targets
logsource:
category: webserver
detection:
selection:
cs-method: POST
cs-uri-stem: /ajax_enroll.php
condition: selection
fields:
- c-ip
- cs-username
- cs-uri-query
falsepositives:
- bulk administrative enrollment actions
level: medium
If your logs do not capture request bodies, monitor for repeated POSTs to /ajax_enroll.php by low-privilege accounts and add instrumentation at the application or WAF layer as a compensating control.
Mitigation and Patching
As of 2026-07-06, no official vendor patch or fixed version has been identified in the supplied sources. That means there is no verified upgrade target to quote beyond stating that the affected release is 1.0 and the fixed version is unknown. In the absence of a confirmed vendor fix, defenders should assume the application remains vulnerable until code review or testing proves otherwise.
If you operate this application, the best immediate course is layered mitigation. First, restrict access to the application or specifically to enrollment-management functionality to only trusted users and networks. Second, review the code handling /ajax_enroll.php and implement authorization checks that verify the current session is permitted to modify the target student_id and schedule_id. Third, add anti-CSRF controls for all state-changing requests. Finally, enable audit logging that records the acting user, target student, action, and source IP.
Technical Notes
Because there is no known fixed release command from the vendor, there is no honest upgrade command to provide for a patched version. Defenders should not fabricate one. Instead, use a code-level workaround and deployment process.
Example PHP authorization logic to add before processing enrollment actions:
session_start();
require_once 'db.php';
$current_user_id = $_SESSION['user_id'] ?? null;
$current_role = $_SESSION['role'] ?? null;
$student_id = $_POST['student_id'] ?? null;
$schedule_id = $_POST['schedule_id'] ?? null;
$action = $_POST['action'] ?? null;
if (!$current_user_id) {
http_response_code(401);
exit('Unauthorized');
}
$allowed_roles = ['admin', 'instructor', 'registrar'];
if (!in_array($current_role, $allowed_roles, true)) {
http_response_code(403);
exit('Forbidden');
}
/* Add explicit authorization checks here to verify the acting user
is permitted to manage the specified student_id and schedule_id. */
If you need an immediate containment workaround at the web tier, restrict direct access to the vulnerable endpoint while you validate business impact. Example Apache rule:
<Files "ajax_enroll.php">
Require ip 10.0.0.0/8 192.168.0.0/16
</Files>
Example Nginx restriction:
location = /ajax_enroll.php {
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
}
Basic deployment workflow after modifying the PHP file:
cp ajax_enroll.php ajax_enroll.php.bak
vi ajax_enroll.php
php -l ajax_enroll.php
systemctl reload apache2 || systemctl reload nginx
If you cannot safely modify the application code, consider temporarily disabling self-service enrollment actions or placing the application behind VPN-only access until a verified remediation path is available.
References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-14778
- Public PoC/writeup: https://github.com/nuiifornet/A033/blob/main/OE-LMS-IDOR-ajax_enroll.md
- Raw PoC content: https://raw.githubusercontent.com/nuiifornet/A033/main/OE-LMS-IDOR-ajax_enroll.md
- SourceCodester: https://www.sourcecodester.com/
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.