Commit 36359f0
fix: remove activation_key from account REST API response
The activation_key field was exposed in /api/user/v1/accounts/{username},
allowing an attacker to bypass email verification by combining two behaviors:
1. OAuth2 password grant issues tokens to inactive users (intentional)
2. activation_key returned in API response (the vulnerability)
An attacker could register, get an OAuth2 token, read the activation_key
from the API, then GET /activate/{key} to activate without email access.
Fix: remove activation_key from UserReadOnlySerializer.to_representation()
and from ACCOUNT_VISIBILITY_CONFIGURATION["admin_fields"] (which controls
the field whitelist in _filter_fields — listed fields default to None even
if absent from the serializer data dict).
Reported by Daniel Baillo via the Open edX security working group.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>1 parent 338ec18 commit 36359f0
4 files changed
Lines changed: 10 additions & 18 deletions
File tree
- lms/envs
- openedx/core/djangoapps/user_api/accounts
- tests
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4305 | 4305 | | |
4306 | 4306 | | |
4307 | 4307 | | |
4308 | | - | |
4309 | 4308 | | |
4310 | 4309 | | |
4311 | 4310 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
142 | 142 | | |
143 | 143 | | |
144 | 144 | | |
145 | | - | |
146 | | - | |
147 | | - | |
148 | | - | |
149 | | - | |
150 | 145 | | |
151 | 146 | | |
152 | 147 | | |
| |||
161 | 156 | | |
162 | 157 | | |
163 | 158 | | |
164 | | - | |
165 | 159 | | |
166 | 160 | | |
167 | 161 | | |
| |||
Lines changed: 0 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
632 | 632 | | |
633 | 633 | | |
634 | 634 | | |
635 | | - | |
636 | 635 | | |
637 | 636 | | |
638 | 637 | | |
| |||
Lines changed: 10 additions & 10 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
358 | 358 | | |
359 | 359 | | |
360 | 360 | | |
361 | | - | |
362 | | - | |
| 361 | + | |
| 362 | + | |
363 | 363 | | |
364 | 364 | | |
365 | 365 | | |
| |||
488 | 488 | | |
489 | 489 | | |
490 | 490 | | |
491 | | - | |
| 491 | + | |
492 | 492 | | |
493 | | - | |
| 493 | + | |
494 | 494 | | |
495 | | - | |
496 | | - | |
| 495 | + | |
| 496 | + | |
497 | 497 | | |
498 | 498 | | |
499 | 499 | | |
500 | 500 | | |
501 | 501 | | |
502 | 502 | | |
503 | | - | |
| 503 | + | |
504 | 504 | | |
505 | 505 | | |
506 | 506 | | |
| |||
811 | 811 | | |
812 | 812 | | |
813 | 813 | | |
814 | | - | |
| 814 | + | |
815 | 815 | | |
816 | 816 | | |
817 | 817 | | |
818 | 818 | | |
819 | | - | |
| 819 | + | |
820 | 820 | | |
821 | 821 | | |
822 | 822 | | |
| |||
831 | 831 | | |
832 | 832 | | |
833 | 833 | | |
834 | | - | |
| 834 | + | |
835 | 835 | | |
836 | 836 | | |
837 | 837 | | |
| |||
0 commit comments