Listen to this Post
The vulnerability exploits the Learning Tools Interoperability (LTI) Provider in Moodle. When a user attempts to authenticate via LTI, the authentication handlers process the request and validate credentials but fail to check the user’s suspension status. This omission occurs in the code that handles LTI launches, where the suspension flag is not enforced during session creation. As a result, users who are marked as suspended in the system can bypass this restriction and successfully log in. The flaw lies in the separation of authentication and authorization checks, allowing suspended users to gain unauthorized access. This enables them to view courses, access resources, and perform actions as if active, leading to potential information disclosure or malicious activities within the Moodle instance.
Platform: Moodle
Version: Multiple versions affected
Vulnerability: Authentication Bypass
Severity: High
date: Feb 3 2026
Prediction: Feb 3 patch
What Undercode Say:
Analytics:
- Check version: grep ‘\$version’ version.php
- Test LTI: curl -k https://target/mod/lti/launch.php
- Query DB: SELECT FROM mdl_user WHERE suspended=1;
How Exploit:
- Authenticate via LTI.
- Bypass suspension check.
- Access restricted resources.
Protection from this CVE:
- Update Moodle version.
- Review LTI settings.
- Monitor user sessions.
Impact:
- Unauthorized access.
- Data disclosure.
- System compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

