After the May 7, 2026 Canvas LMS breach — ShinyHunters claimed roughly 275 million records pulled from Instructure across thousands of institutions — boards and IT leaders are all asking one question: "Are our students' records safe?" With FERPA (US) and GDPR (EU) on the line, the answer isn't just a security question anymore — it's a compliance one. Pick your Open edX release below to find out where you stand.
Open edX upgrades have to run sequentially. Three reasons why:
01
MongoDB FCV chain
Mongo refuses to start if you raise feature-compatibility by more than one major at a time. Lilac → Ulmo is four FCV bumps, in order.
02
Python & Django pins
Python 2.7 → 3.5 → 3.8 → 3.11 → 3.12 each break dependency resolution. Django LTS migrations are written one step at a time.
03
Migrations assume prior schema
Each release's data migrations expect the previous release's schema. Skipping means they hang, fail, or silently corrupt — with no one-command rollback.
Talk to a senior Open edX engineer
13+ years of Open edX, deployments and upgrades shipped for Starbucks, Snowflake, and ASU. The 30-minute call is free — no pitch.
Every advisory is sourced from the public GitHub Security Advisory Database (the same feed GitHub uses to notify maintainers). GHSA IDs, CVE IDs, severity, and publication dates are copied verbatim from the API. The data was last reviewed on 2026-05-08. For anything published after that date, click through to the GitHub source link on each advisory.
I only know my Tutor version. Can I use this?
Yes. The tool's second tab accepts a Tutor version like 17.0.4. Tutor majors map to named releases (3 → Ironwood, 10 → Juniper, 11 → Koa, 12 → Lilac, 13 → Maple, 14 → Nutmeg, 15 → Olive, 16 → Palm, 17 → Quince, 18 → Redwood, 19 → Sumac, 20 → Teak, 21 → Ulmo, 22 → Verawood). If you're on something older or self-installed without Tutor, pick the release name directly.
Why is everything except Ulmo marked Unsupported?
That's the official Open edX policy — only the latest named release receives security patches and bug fixes from upstream. The line is published in the Open edX docs under 'Named Release Branches and Tags.' Even Teak, which shipped 2025-06-06, is officially Unsupported. This is uncomfortable but it's the truth most operators don't realize until they need a CVE patched.
Do you patch old Open edX releases?
Yes. Cubite has back-ported critical patches to Hawthorn, Juniper, Koa, Maple, Nutmeg, and Olive for clients who can't upgrade on a normal cadence (regulatory freezes, custom XBlocks, vendor coordination, etc). On the consultation call we'll talk honestly about whether back-porting or upgrading is the right call for your situation.
Why are upgrades not skippable?
Open edX upgrades touch MongoDB feature-compatibility versions, Django and Python pin states, and migration scripts written assuming the previous release's schema. Skipping a release breaks the FCV chain and the migration scripts. The official guidance and Tutor's own launch logic assume you upgrade one named release at a time. A Lilac → Ulmo jump is realistically 9 sequential upgrades.
What about Canvas LTI? We use Canvas as our LMS.
Cubite also offers Canvas LTI integration as one of our core service pillars — embedding rich Open edX-style content and assessments inside Canvas via LTI 1.3. If you're rethinking your LMS posture after the May 2026 breach, the consultation call covers Canvas LTI options as well as Open edX migration.
Is the data complete?
No — and we say so explicitly. We track GHSAs from edx-platform and the most-installed XBlocks/services (lti-consumer-xblock, edx-enterprise, xblock-drag-and-drop-v2, course-discovery, credentials, ecommerce). Some bugs are platform-wide and live only in mailing lists or release notes, never get a GHSA, and we may not have surfaced them. Treat this as a starting point, not a guarantee.
Will you add Verawood, Willow, and beyond?
Yes. New named releases ship roughly every six months. Adding one is a one-line change to our release file; adding new advisories is a one-record append. The architecture is built for this.
Spotted a missing advisory or a wrong release date? Email us — accuracy matters more than coverage.