Listen to this Post
The vulnerability is an authorization bypass within the badge awarding subsystem. The flaw occurs because the system performs incomplete checks on a user’s role and capabilities before processing a badge award request. Specifically, the affected code path does not fully validate if the user attempting to award a badge possesses the required ‘moodle/badge:awardbadge’ capability within the correct context. An attacker, typically a user with lower privileges like a student, can exploit this by crafting and sending a direct HTTP request to the badge awarding endpoint (e.g., /badge/award.php) with targeted parameters (user ID, badge ID, possibly a nomination). The system’s logic flaw skips the final authorization verification, mistakenly granting the badge. This allows unauthorized acquisition of badges, which can represent achievements or act as conditional access tokens, leading to privilege escalation if badges unlock further platform capabilities.
Platform: Moodle
Version: Multiple affected versions
Vulnerability : Authorization logic flaw
Severity: Moderate
date: Feb 3, 2026
Prediction: Patches available now
What Undercode Say:
Analytics
Check current Moodle version grep "\$version" version.php List installed badges via DB mysql -e "SELECT id, name FROM mdl_badge" moodle_db Simulate patch check php admin/cli/upgrade.php --list
How Exploit:
1. Attacker identifies target badge ID.
2. Crafts POST request to `/badge/award.php`.
- Submits request with target user and badge parameters.
4. System bypasses final capability check.
5. Badge is awarded without authorization.
Protection from this CVE
Update to patched versions: 4.1.22, 4.4.12, 4.5.8, 5.0.4, or 5.1.1. Implement additional custom capability checks in any badge-related overrides. Review and audit all badge assignments post-upgrade.
Impact:
Unauthorized badge acquisition. Potential privilege escalation. Integrity loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

