Moodle: hidden group names visible to event creators
Description
Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle's calendar event form exposed names of hidden groups to users with calendar event creation permission, revealing restricted group information.
Vulnerability
Description Moodle's calendar event form exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups [1][2]. The vulnerability stemmed from the use of groups_get_course_data() function for populating the group selection dropdown, which did not properly filter groups based on the user's ability to view hidden groups [3].
Exploitation
An attacker with the capability to create calendar events in a course could access the event creation form and see the names of all groups, including those marked as hidden [1]. No additional authentication bypass was required; simply having the default calendar event creation permission was sufficient [2].
Impact
This allowed unauthorized users to learn about the existence and names of hidden groups, potentially revealing private or restricted group information such as special project teams or sensitive course structures [1][2].
Mitigation
The issue has been fixed in Moodle commit 0c70d67059658879a71152ea075c74154a627d05, which replaced groups_get_course_data() with groups_get_all_groups() to ensure that only groups the user is allowed to see are displayed [3]. Users are advised to update their Moodle installation to a patched version.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 5.0.0-beta, < 5.0.3 | 5.0.3 |
moodle/moodlePackagist | >= 4.5.0-beta, < 4.5.7 | 4.5.7 |
moodle/moodlePackagist | >= 4.2.0-beta, < 4.4.11 | 4.4.11 |
moodle/moodlePackagist | < 4.1.21 | 4.1.21 |
Affected products
2Patches
10c70d6705965MDL-86261 calendar: Improve event form to show accessible groups
2 files changed · +7 −7
public/calendar/externallib.php+3 −3 modified@@ -915,10 +915,10 @@ public static function submit_create_update_form($formdata) { $formoptions['eventtypes'] = $allowedeeventtypes; if ($courseid) { require_once($CFG->libdir . '/grouplib.php'); - $groupcoursedata = groups_get_course_data($courseid); - if (!empty($groupcoursedata->groups)) { + $groupcoursedata = groups_get_all_groups($courseid); + if (!empty($groupcoursedata)) { $formoptions['groups'] = []; - foreach ($groupcoursedata->groups as $groupid => $groupdata) { + foreach ($groupcoursedata as $groupid => $groupdata) { $formoptions['groups'][$groupid] = $groupdata->name; } }
public/calendar/lib.php+4 −4 modified@@ -3031,9 +3031,9 @@ function calendar_output_fragment_event_form($args) { if (is_null($eventid)) { if (!empty($courseid)) { - $groupcoursedata = groups_get_course_data($courseid); + $groupcoursedata = groups_get_all_groups($courseid); $formoptions['groups'] = []; - foreach ($groupcoursedata->groups as $groupid => $groupdata) { + foreach ($groupcoursedata as $groupid => $groupdata) { $formoptions['groups'][$groupid] = format_string($groupdata->name, false, ['context' => $context]); } } @@ -3075,9 +3075,9 @@ function calendar_output_fragment_event_form($args) { $formoptions['event'] = $event; if (!empty($event->courseid)) { - $groupcoursedata = groups_get_course_data($event->courseid); + $groupcoursedata = groups_get_all_groups($event->courseid); $formoptions['groups'] = []; - foreach ($groupcoursedata->groups as $groupid => $groupdata) { + foreach ($groupcoursedata as $groupid => $groupdata) { $formoptions['groups'][$groupid] = format_string($groupdata->name, false, ['context' => $context]); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-422v-w6c5-vq42ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62400ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-62400ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/moodle/moodle/commit/0c70d67059658879a71152ea075c74154a627d05ghsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.