CVE-2025-67856 PUBLISHED

Moodle: moodle: privilege escalation via incomplete role checks in badge awarding

Assigner: fedora
Reserved: 12.12.2025 Published: 03.02.2026 Updated: 03.02.2026

A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Package Collection	https://github.com/moodle/moodle/
Package Name	moodle
Versions	Default: unaffected affected from 4.1.0 to 4.1.22 (excl.) affected from 4.4.0 to 4.4.12 (excl.) affected from 4.5.0 to 4.5.8 (excl.) affected from 5.0.0 to 5.0.4 (excl.) affected from 5.1.0 to 5.1.1 (excl.)

Credits

Red Hat would like to thank Stefan Hanauska for reporting this issue.

CVE-2025-67856 PUBLISHED

Moodle: moodle: privilege escalation via incomplete role checks in badge awarding

Metrics

Product Status

Credits

References