Moodle: moodle: authentication bypass via lti provider allows suspended users to gain unauthorized access.
Description
A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling unauthorized access to the system. This can lead to information disclosure or other unauthorized actions by users who should be restricted.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle LTI Provider fails to check user suspension status, allowing suspended users to authenticate and potentially access restricted data.
Vulnerability
Description
An authentication bypass vulnerability exists in Moodle's Learning Tools Interoperability (LTI) Provider. The root cause is that the LTI authentication handlers do not verify a user's suspension status before allowing access [2]. This flaw enables suspended users to authenticate through the LTI Provider, bypassing the intended restriction.
Exploitation
An attacker who is a suspended user, or who has obtained credentials for a suspended account, can exploit this vulnerability by initiating an LTI launch session. No additional authentication is required beyond the standard LTI flow, and the attacker can be in any network position [2]. The vulnerability is triggered because the user_login function in the LTI auth plugin does not check the suspended flag, as evidenced by the fix commit [3].
Impact
Successful exploitation allows a suspended user to access the system and perform actions they should be restricted from. This can lead to information disclosure or other unauthorized actions, potentially compromising the confidentiality and integrity of the Moodle instance [1][2].
Mitigation
A patch has been released and is available in the Moodle commit [3]. Administrators are strongly advised to update their Moodle installation to a version that includes this fix. Red Hat has also acknowledged the issue [1]. No workarounds are documented; the only mitigation is to apply the patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 4.1.22 | 4.1.22 |
moodle/moodlePackagist | >= 4.4.0-beta, < 4.4.12 | 4.4.12 |
moodle/moodlePackagist | >= 4.5.0-beta, < 4.5.8 | 4.5.8 |
moodle/moodlePackagist | >= 5.0.0-beta, < 5.0.4 | 5.0.4 |
moodle/moodlePackagist | >= 5.1.0-beta, < 5.1.1 | 5.1.1 |
Affected products
2Patches
262f372e9d861MDL-87286 enrol_lti: prevent suspended user account auth in legacy LTI
1 file changed · +14 −0
public/enrol/lti/classes/tool_provider.php+14 −0 modified@@ -259,6 +259,20 @@ protected function onLaunch() { // Get the updated user record. $user = $DB->get_record('user', ['id' => $user->id]); } else { + if ($dbuser->suspended) { + require_once($CFG->libdir . '/authlib.php'); + $failurereason = AUTH_LOGIN_SUSPENDED; + $event = \core\event\user_login_failed::create([ + 'userid' => $dbuser->id, + 'other' => [ + 'username' => $dbuser->username, + 'reason' => $failurereason + ] + ]); + $event->trigger(); + throw new \core\exception\moodle_exception('invalidlogin', 'core'); + } + if (helper::user_match($user, $dbuser)) { $user = $dbuser; } else {
c2705e2c1896MDL-87286 auth_lti: prevent suspended user account auth in LTI1p3
1 file changed · +14 −0
public/auth/lti/auth.php+14 −0 modified@@ -104,6 +104,7 @@ public function user_login($username, $password) { * @param int $provisioningmode the desired account provisioning mode, which controls the auth flow for unbound users. * @param array $legacyconsumersecrets an array of secrets used by the legacy consumer if a migration claim exists. * @throws coding_exception if the specified provisioning mode is invalid. + * @throws \core\exception\moodle_exception if user authentication fails. */ public function complete_login(array $launchdata, moodle_url $returnurl, int $provisioningmode, array $legacyconsumersecrets = []): void { @@ -112,6 +113,19 @@ public function complete_login(array $launchdata, moodle_url $returnurl, int $pr if ($this->get_user_binding($launchdata['iss'], $launchdata['sub'])) { $user = $this->find_or_create_user_from_launch($launchdata); + if ($user->suspended) { + $failurereason = AUTH_LOGIN_SUSPENDED; + $event = \core\event\user_login_failed::create([ + 'userid' => $user->id, + 'other' => [ + 'username' => $user->username, + 'reason' => $failurereason + ] + ]); + $event->trigger(); + throw new \core\exception\moodle_exception('invalidlogin', 'core'); + } + if (isloggedin()) { // If a different user is currently logged in, authenticate the linked user instead. global $USER;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-j5jv-w5cw-j9ffghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67848ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-67848ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/moodle/moodle/commit/62f372e9d861d16df702d3c7726905fa2730e3d8ghsaWEB
- github.com/moodle/moodle/commit/c2705e2c18962fec4f21b9c34ed386be2a379663ghsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.