Moderate severityOSV Advisory· Published Oct 23, 2025· Updated Oct 23, 2025

Moodle: quiz notifications sent to suspended participants

CVE-2025-62394

Description

Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Moodle fails to verify enrolment status when sending quiz notifications, causing suspended or inactive users to receive quiz-related messages and leak limited course information.

Vulnerability

Overview

CVE-2025-62394 is an information disclosure vulnerability in Moodle, the open-source learning platform. The root cause is that the quiz module's notification system fails to verify the enrolment status of users before sending quiz-related messages. Specifically, the function get_users_within_quiz() in mod/quiz did not filter out users whose enrolment is suspended or inactive, leading to notifications being sent to users who should no longer have access to course activities [1][2].

Exploitation

An attacker does not need to be authenticated to exploit this vulnerability; it is triggered automatically by the quiz notification system. When a quiz notification is sent (e.g., a reminder or grade release), the system queries for users with the mod/quiz:attempt capability but does not apply the onlyactive flag to the enrolment check. As a result, users whose enrolment has been suspended (either at the user account level or within the course) are still included in the recipient list [3]. The commit that fixes the issue adds 'onlyactive' => true to the get_users_by_capability() call, ensuring only active enrolled users receive notifications [3].

Impact

The impact is limited to information disclosure. Suspended or inactive users may receive quiz-related messages, which could leak limited course information such as quiz availability, deadlines, or grades. This does not allow an attacker to modify data or gain unauthorized access to the system, but it does violate the expected privacy and access control boundaries for users whose enrolment has been revoked [1][2].

Mitigation

The vulnerability has been patched in Moodle commit 022bfbfb564d8f3866a43d26eed215213bbdd28a, which is part of the Moodle 4.x release cycle. Users should update to the latest version of Moodle that includes this fix. There is no evidence that this vulnerability is being actively exploited in the wild, and it has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [3][4].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	>= 5.0.0-beta, < 5.0.3	5.0.3
moodle/moodlePackagist	>= 4.5.0-beta, < 4.5.7	4.5.7

Affected products

Moodle/MoodleOSV2 versions
v4.5.0, v4.5.1, v4.5.2, …+ 1 more
- (no CPE)range: v4.5.0, v4.5.1, v4.5.2, …
- (no CPE)

Patches

022bfbfb564d

MDL-86253 mod_quiz: Respect enrollment status in notifications

https://github.com/moodle/moodleraortegarSep 29, 2025via ghsa

commit

2 files changed · +6 −0

mod/quiz/classes/notification_helper.php+1 −0 modified

@@ -80,6 +80,7 @@ public static function get_users_within_quiz(int $quizid): array {
             context: \context_module::instance($quizobj->get_cm()->id),
             withcapability: 'mod/quiz:attempt',
             userfields: 'u.id, u.firstname, u.suspended, u.auth',
+            onlyactive: true,
         );
 
         // Filter a list of users who meet the availability conditions.

mod/quiz/tests/notification_helper_test.php+5 −0 modified

@@ -92,12 +92,14 @@ public function test_get_users_within_quiz(): void {
         $user4 = $generator->create_user();
         $user5 = $generator->create_user();
         $user6 = $generator->create_user(['suspended' => 1]);
+        $user7 = $generator->create_user();
         $generator->enrol_user($user1->id, $course->id, 'student');
         $generator->enrol_user($user2->id, $course->id, 'student');
         $generator->enrol_user($user3->id, $course->id, 'student');
         $generator->enrol_user($user4->id, $course->id, 'student');
         $generator->enrol_user($user5->id, $course->id, 'teacher');
         $generator->enrol_user($user6->id, $course->id, 'student');
+        $generator->enrol_user($user7->id, $course->id, 'student', 'manual', 0, 0, ENROL_USER_SUSPENDED);
 
         /** @var \mod_quiz_generator $quizgenerator */
         $quizgenerator = $generator->get_plugin_generator('mod_quiz');
@@ -155,6 +157,9 @@ public function test_get_users_within_quiz(): void {
         // User6 should not be in the returned users because it is suspended.
         $this->assertArrayNotHasKey($user6->id, $users);
 
+        // User7 should not be in the returned users because it is suspended within the course.
+        $this->assertArrayNotHasKey($user7->id, $users);
+
         // Let's add some availability conditions.
         $availability =
         [

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-8fcv-4qp9-pg32ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-62394ghsaADVISORY
access.redhat.com/security/cve/CVE-2025-62394ghsavdb-entryx_refsource_REDHATWEB
bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
github.com/moodle/moodle/commit/022bfbfb564d8f3866a43d26eed215213bbdd28aghsaWEB
moodle.org/mod/forum/discuss.phpghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000