Moodle: moodle: privilege escalation via incomplete role checks in badge awarding
Description
A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle's badge awarding had incomplete role checks, allowing unauthorized users to obtain badges and potentially escalate privileges.
Vulnerability
The vulnerability is an authorization logic flaw in Moodle's badge awarding process. The system failed to properly verify that the user awarding the badge has the required role in the specific context, leading to badges being granted without proper authentication [1][2][4].
Exploitation
An attacker with basic user privileges can exploit this by crafting requests to the badge awarding functionality, bypassing the intended role checks. The vulnerability can be triggered without administrative rights, as the incomplete role checks allow unauthorized badge issuance [1][2].
Impact
Successful exploitation enables an unauthorized user to obtain badges they are not entitled to. This could lead to privilege escalation if badges grant access to restricted features or content, or to unauthorized access to sensitive actions within the Moodle platform [1][2].
Mitigation
The issue has been fixed in Moodle via commit 0d48779, which adds a role assignment verification before awarding a badge. Administrators should update their Moodle installations to include this patch to prevent exploitation [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 4.1.22 | 4.1.22 |
moodle/moodlePackagist | >= 4.4.0-beta, < 4.4.12 | 4.4.12 |
moodle/moodlePackagist | >= 4.5.0-beta, < 4.5.8 | 4.5.8 |
moodle/moodlePackagist | >= 5.0.0-beta, < 5.0.4 | 5.0.4 |
moodle/moodlePackagist | >= 5.1.0-beta, < 5.1.1 | 5.1.1 |
Affected products
2Patches
10d48779e61bcMDL-86507 badge: Check if role is assigned
2 files changed · +11 −0
public/badges/award.php+10 −0 modified@@ -82,6 +82,16 @@ die(); } +if (!empty($role)) { + if (!user_has_role_assignment($USER->id, $role, $context->id) && !$isadmin) { + // User does not have the role passed by the parameter. + echo $OUTPUT->header(); + echo $OUTPUT->notification(get_string('wrongrole', 'badges')); + echo $OUTPUT->footer(); + die(); + } +} + $returnurl = new moodle_url('recipients.php', array('id' => $badge->id)); $returnlink = html_writer::link($returnurl, $strrecipients); $actionbar = new \core_badges\output\standard_action_bar(
public/lang/en/badges.php+1 −0 modified@@ -596,6 +596,7 @@ $string['visible'] = 'Visible'; $string['version'] = 'Version'; $string['warnexpired'] = ' (This badge has expired!)'; +$string['wrongrole'] = 'The role you want to use is not assigned to you.'; $string['year'] = 'Year(s)'; // Deprecated since Moodle 4.5.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-hcm6-q6pc-xfhmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67856ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-67856ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/moodle/moodle/commit/0d48779e61bcacbabbcb82858a037b567351fce0ghsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.