OpenOlat, an open source web-based e-learning platform, contains a critical vulnerability in versions 10.5.4 to before 20.2.5 where the OpenID Connect implicit flow implementation fails to verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of compact JWTs, and the getAccessToken() methods in OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields without cryptographic signature verification against the Identity Provider's JWKS endpoint. This authentication bypass vulnerability has been patched in version 20.2.5.