Moodle: moodle: open redirect vulnerability in oauth login flow allows redirection to malicious sites.
Description
A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could lead to phishing attacks or information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An open redirect vulnerability in Moodle's OAuth login flow allows remote attackers to redirect authenticated users to attacker-controlled pages, enabling phishing attacks.
Vulnerability
Overview
CVE-2025-67852 describes an open redirect vulnerability in Moodle's OAuth login flow. The flaw stems from insufficient validation of redirect parameters after a user successfully authenticates via OAuth. This allows a remote attacker to craft a malicious login link that, once the user completes authentication, redirects them to an attacker-controlled URL instead of the intended destination [1][2].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted OAuth login URL to a victim. The victim must be a valid Moodle user who then authenticates through the OAuth flow. After successful authentication, the insufficient validation of the redirect parameter causes the browser to navigate to the attacker's site. No additional authentication or privileges are required beyond the user's normal session [2].
Impact
Successful exploitation enables phishing attacks, as the victim may be redirected to a page that mimics a legitimate Moodle interface, potentially leading to credential theft or information disclosure. The attacker could also use the redirect to exfiltrate session tokens or other sensitive data [1][2].
Mitigation
The Moodle project has addressed this issue in commit fa1624c8c9e3efa917f0e9d2666bb59d8be2a975, which restricts login redirects to local URLs [3]. Administrators should update their Moodle installations to the latest patched version to mitigate the risk. No workarounds have been publicly documented.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 4.1.22 | 4.1.22 |
moodle/moodlePackagist | >= 4.4.0-beta, < 4.4.12 | 4.4.12 |
moodle/moodlePackagist | >= 4.5.0-beta, < 4.5.8 | 4.5.8 |
moodle/moodlePackagist | >= 5.0.0-beta, < 5.0.4 | 5.0.4 |
moodle/moodlePackagist | >= 5.1.0-beta, < 5.1.1 | 5.1.1 |
Affected products
2Patches
1fa1624c8c9e3MDL-80317 auth_oauth2: Restrict login redirect to local url
1 file changed · +1 −1
public/auth/oauth2/login.php+1 −1 modified@@ -25,7 +25,7 @@ require_once('../../config.php'); $issuerid = required_param('id', PARAM_INT); -$wantsurl = optional_param('wantsurl', '', PARAM_URL); +$wantsurl = optional_param('wantsurl', '', PARAM_LOCALURL); $PAGE->set_context(context_system::instance()); $PAGE->set_url(new moodle_url('/auth/oauth2/login.php', ['id' => $issuerid]));
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-qv78-6gpp-hm68ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67852ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-67852ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/moodle/moodle/commit/fa1624c8c9e3efa917f0e9d2666bb59d8be2a975ghsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.