Inadequate access control vulnerability in Moodle
Description
Moodle LMS inadequate access control allows student users to create events for higher-privileged roles and add calendar events without consent.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle LMS inadequate access control allows student users to create events for higher-privileged roles and add calendar events without consent.
Vulnerability
Description CVE-2024-1439 is an inadequate access control vulnerability in Moodle LMS. The flaw permits a local user with a student role to create arbitrary events intended for users with higher roles, and to add events to the calendar of all users without their prior consent [1][3].
Attack
Vector and Prerequisites The vulnerability can be exploited remotely over the network without user interaction, requiring only low privileges (student role) [3]. The CVSS v3.1 base score is 6.5 (medium), with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating high integrity impact but no confidentiality or availability impact [3].
Impact and
Mitigation An attacker can compromise the integrity of the calendar system by inserting unauthorized events, potentially causing confusion or scheduling conflicts. As of the INCIBE advisory, no solution was available for affected versions (4.2 and prior) [3]. Users are advised to apply any future patches or implement workarounds as recommended by Moodle.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | <= 4.2.0 | — |
Affected products
3- osv-coords2 versions
< 4.3.4+ 1 more
- (no CPE)range: < 4.3.4
- (no CPE)range: <= 4.2.0
- Moodle/LMSv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.