Moodle, Authorization Logic Flaw, Moderate Severity

Listen to this Post

The vulnerability is an authorization bypass within the badge awarding subsystem. The flaw occurs because the system performs incomplete checks on a user’s role and capabilities before processing a badge award request. Specifically, the affected code path does not fully validate if the user attempting to award a badge possesses the required ‘moodle/badge:awardbadge’ capability within the correct context. An attacker, typically a user with lower privileges like a student, can exploit this by crafting and sending a direct HTTP request to the badge awarding endpoint (e.g., /badge/award.php) with targeted parameters (user ID, badge ID, possibly a nomination). The system’s logic flaw skips the final authorization verification, mistakenly granting the badge. This allows unauthorized acquisition of badges, which can represent achievements or act as conditional access tokens, leading to privilege escalation if badges unlock further platform capabilities.
Platform: Moodle
Version: Multiple affected versions
Vulnerability : Authorization logic flaw
Severity: Moderate
date: Feb 3, 2026

Prediction: Patches available now

What Undercode Say:

Analytics

Check current Moodle version
grep "\$version" version.php
List installed badges via DB
mysql -e "SELECT id, name FROM mdl_badge" moodle_db
Simulate patch check
php admin/cli/upgrade.php --list

How Exploit:

1. Attacker identifies target badge ID.

2. Crafts POST request to `/badge/award.php`.

  1. Submits request with target user and badge parameters.

4. System bypasses final capability check.

5. Badge is awarded without authorization.

Protection from this CVE

Update to patched versions: 4.1.22, 4.4.12, 4.5.8, 5.0.4, or 5.1.1. Implement additional custom capability checks in any badge-related overrides. Review and audit all badge assignments post-upgrade.

Impact:

Unauthorized badge acquisition. Potential privilege escalation. Integrity loss.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top