The Instructure Community will enter a read-only state on November 22, 2025 as we prepare to migrate to our new Community platform in early December. Read our blog post for more info about this change.
SECURITY UPDATE |  |
| Release Date: | 2017-01-11 |
| Description: | Arbitrary Collaboration Enrollment |
| Criticality Level: | Highly Critical |
| Impact: | Potential Exposure of Sensitive Data |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Internal Audit |
| Relevant Changesets: | Restrict collaboration membership by context · instructure/canvas-lms@67491e3b · GitHub |
Summary:
During a routine security audit of the Canvas code base and platform, a bug with permission checking for collaboration enrollment was discovered which could allow a teacher or admin to enroll users in a course collaboration that they normally would not have been allowed to be enrolled in. This could lead to a situation which would allow access to basic user information that the teacher or admin might not otherwise have access to.
Status:
All systems were patched as of 15:14 MT on 1/5/2017
Community help
To interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign in