Send us a message and we'll get back to you shortly.
| What is it | Status | Who's affected | Why now | What to do |
An open redirect in /survey/?redirect_url= turns your LMS domain into a phishing launcher | Fixed in upstream commit 76462f1e5f. No named release (Quince, Redwood, Sumac, Teak) has a backport tag as of 2026-05-12. | Any Open edX instance from Maple onwards. Ulmo too, unless you've verified the cherry-pick landed. | Five days ago, ShinyHunters held Canvas LMS hostage across 8,809 institutions. LMS domain trust is the asset attackers want next. | Run the 5-second self-check, then apply one of four patching options. |
CVE-2026-35404 is a textbook CWE-601 open redirect (a flaw where the application redirects users to a URL chosen by an attacker) in the Open edX survey app. The view_survey endpoint at lms/djangoapps/survey/views.py accepts a redirect_url GET parameter and passes it directly to Django's HttpResponseRedirect() with no validation. The same unvalidated URL is also embedded in a hidden form field and returned in a JSON response after form submission, where client-side JavaScript performs location.href = url.
So the bug has two vectors, a server-side 302 on a non-existent survey name, and a client-side redirect after submit.
The attack shape is what makes this dangerous: https://YOUR-LMS/survey/FAKESURVEY/?redirect_url=https://evil-clone-of-your-sso.example/
That link gets distributed via email, Slack, or even an in-LMS announcement. Users see your real domain, click, and land on a pixel-perfect clone of your login page. Their credentials are harvested before they realize anything is off. The "check the URL before clicking" advice every institution drills into its users? It just told them this link was safe.
According to the Hoxhunt Phishing Trends Report 2026, URL redirection was used in 48% of phishing links in 2025, up from 39% the year before.
On 2026-05-07, the ShinyHunters ransomware group replaced the Canvas LMS login page with a ransom note across 8,809 universities, ministries, and schools worldwide. The group claimed exfiltration of 3.65 TB of data and roughly 275 million records - names, email addresses, student IDs, and private messages between students and teachers (Inside Higher Ed, CNN). On 2026-05-11, Instructure announced it had paid an undisclosed ransom and that the data was destroyed.
This issue is not the Canvas vulnerability. Different platform, different vendor, different bug. We are not suggesting it is, and you should not let anyone tell you otherwise.
But the threat model is identical. Canvas demonstrated that LMS platforms are now a top-tier target for organized credential and data-theft groups — and the UK's 2025/2026 Cyber Security Breaches Survey found that 96% of breaches at higher and further education institutions involve phishing. CVE-2026-35404 is a separate, public, currently-unbackported primitive that gives attackers exactly the trust-laundering foothold these incidents start with. Before 2026-05-07, "we'll patch on the next maintenance window" was defensible. After 2026-05-07, running a known unpatched LMS phishing vector is a documented choice.
This section is the most important thing in the post. We're not asking you to trust Cubite, we're handing you a way to verify on your own infrastructure.
Login to your LMS and then paste the following URL in your browser https://YOUR-LMS/survey/xtest/?redirect_url=https://en.wikipedia.org/wiki/Phishing if you redirected to the Wikipedia page your are affected and need to fix this asap.
Here is the entire fix from the upstream commit, against lms/djangoapps/survey/views.py:
Pick the one that matches your deployment. Options 1–3 are real fixes. Option 4 is a stopgap only.
If you already maintain a Tutor plugin that patches edx-platform (anything that adds Dockerfile patch entries), add one line.
In your plugin's openedx-dockerfile-post-git-checkout patch, append:
RUN curl -fsSL https://github.com/openedx/edx-platform/commit/76462f1e5fa9b37d2621ad7ad19514b403908970.patch | git am
Then rebuild and deploy:
Create a one-file Tutor plugin. Save the following as ~/.local/share/tutor-plugins/survey-openredirect-cve-2026-35404.py:
Enable the plugin and rebuild:
Total downtime is the few seconds it takes the LMS container to restart. You can delete the plugin once Open edX backports the fix to your named release and you bump to a patched tag.
If you maintain your own fork of edx-platform, cherry-pick the upstream fix onto whatever branch you deploy from:
The commit touches only lms/djangoapps/survey/views.py plus one test file. It applies cleanly against every named release we checked from Redwood backwards. If it conflicts (extremely unlikely — survey/views.py hasn't changed meaningfully in years), apply the two diffs from "The fix" section above by hand.
After deploying any option, paste this in a logged-in browser tab: https://YOUR-LMS/survey/xtest/?redirect_url=https://en.wikipedia.org/wiki/Phishing
Expected: you land on /dashboard. If you still land on the Wikipedia article, the patch did not apply, check the build logs for git am errors (Options 1–2) or git cherry-pick errors (Option 3).
If you operate Open edX and want help backporting CVE-2026-35404, email security@cubite.io. We can do it for you in 1 business days, or hand you the verified diff as a public gist for free if you'd rather apply it yourselves.
CVE-2026-35404 is an open redirect vulnerability (CWE-601) in the Open edX survey app. The view_survey endpoint accepts an attacker-controlled redirect_url GET parameter and passes it directly to HttpResponseRedirect() with no validation, letting attackers turn any Open edX instance into a phishing launcher. Fixed in upstream master on 2026-04-02.
The underlying mechanism is a textbook open redirect: user-supplied input flows into both a server-side HttpResponseRedirect() and a client-side location.href assignment without any allowlist or origin check. The attack value comes from the trust the victim places in the LMS domain, not from any compromise of the LMS itself.
If you run any named Open edX release from Maple onwards (Quince, Redwood, Sumac, Teak, Ulmo) and haven't manually patched lms/djangoapps/survey/views.py, you are affected. Confirm in five seconds by visiting /survey/xtest/?redirect_url=https://en.wikipedia.org/wiki/Phishing on your LMS — if it redirects off-domain, you're vulnerable.
Three ways to verify, in increasing rigour: the browser URL test, a grep of lms/djangoapps/survey/views.py in your checkout, and a curl -sSI against the same URL to read the Location header headlessly. All three are in the self-check section above.
Create a one-file Tutor plugin that injects a git am of upstream commit 76462f1e5f via the openedx-dockerfile-post-git-checkout patch hook, then run tutor images build openedx followed by tutor local stop && tutor local start -d. Total downtime is the few seconds the LMS container takes to restart.
Full step-by-step in Option 2 above. If you already maintain a customizations plugin, Option 1 is one line of change to your existing plugin.
The upstream fix removes the user-supplied redirect_url GET parameter entirely from view_survey, defaulting all post-survey redirects to the dashboard. It's a five-line diff in lms/djangoapps/survey/views.py — no migrations, no new dependencies, no settings changes. Upstream commit: .
Upstream chose removal over validation because the parameter was never a documented public integration point, the only legitimate caller passes a server-computed URL via function argument, and dropping the parameter eliminates the attack surface entirely.
CVSS scores direct technical impact on the vulnerable system. It does not score the social-engineering leverage of laundering an attacker URL through a trusted education domain that bypasses email filters, security training, and SSO trust assumptions. For any Open edX instance with live enrollment, we rate this critical operationally.
The supporting data is unambiguous: URL redirection was used in 48% of phishing links in 2025 (Hoxhunt 2026), and 96% of breaches at UK higher-education institutions in 2025/26 involved phishing (UK Government). CVSS doesn't model that.
No. CVE-2026-35404 is a separate vulnerability in Open edX, an open-source LMS unrelated to Instructure's Canvas. They share a threat model — phishing against trusted LMS domains — but the bugs, vendors, and incidents are unrelated. The Canvas breach is context for urgency, not the vulnerability itself.
We're emphasizing this because the timing is uncomfortably close and we expect the conflation to happen. Don't let anyone tell you Open edX is "next" because of Canvas. Open edX has its own, separately disclosed and separately patchable issue — this one — and the responsible path is to patch it on its own merits.
Looking to learn more about and ? These related blog articles explore complementary topics, techniques, and strategies that can help you master Open edX Survey Open Redirect (CVE-2026-35404): Why It Matters After the Canvas Breach.