Moodle: partial data exposure in moodle before completing multi-factor authentication
Description
A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle users can view other students' sensitive information before the victims complete 2FA verification.
Vulnerability
CVE-2025-3627 is a security vulnerability in Moodle, the open-source learning platform. The root cause allows some authenticated users to access sensitive information about other students before those students have finished verifying their identities using two-factor authentication (2FA).
Exploitation
The vulnerability is exploitable by a user who is already authenticated and has some level of access to the platform. The attack surface involves the period during which another student is in the process of completing their 2FA verification. No additional privileges beyond that of a regular user are required. The flaw resides in how Moodle handles access to certain data during the 2FA verification process [1][2].
Impact
An attacker exploiting this flaw can obtain sensitive information about other students. The exact type of information is not detailed in the public sources, but it is characterized as sensitive, which could include personal or academic data. This breaks the confidentiality guarantees that 2FA is intended to protect.
Mitigation
As of the publication date, the vulnerability has been publicly disclosed, and a fix is expected to be available in a Moodle security release. Users are advised to update their Moodle installations once the patched version is released [3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 4.3.0-beta, < 4.3.12 | 4.3.12 |
moodle/moodlePackagist | >= 4.4.0-beta, < 4.4.8 | 4.4.8 |
moodle/moodlePackagist | >= 4.5.0-beta, < 4.5.4 | 4.5.4 |
Affected products
4- osv-coords2 versions
>= 4.3.0, < 4.3.12+ 1 more
- (no CPE)range: >= 4.3.0, < 4.3.12
- (no CPE)range: >= 4.3.0-beta, < 4.3.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-x45j-jq9q-gf3qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-3627ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-3627ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.