Moodle, Improper Restriction of Excessive Authentication Attempts, CVE-2026-????? (High)

Listen to this Post

This vulnerability exists in Moodle’s account confirmation email service. The function responsible for sending confirmation emails lacks robust rate-limiting controls. A remote attacker can send repeated, automated HTTP POST requests to the relevant endpoint (e.g., /login/confirm.php). Each request can attempt to guess a valid user’s username or email address. Because the system does not sufficiently restrict the number of attempts from a single IP address or session over a short period, it returns discernibly different responses for existing versus non-existing accounts. This allows for efficient user enumeration, reducing the attack surface for subsequent brute-force password attacks. By systematically probing the service, an attacker can compile a list of valid usernames, which significantly increases the success rate of credential-stuffing or password-guessing campaigns against the platform.

DailyCVE Form:

Platform: Moodle
Version: <4.1.22, 4.4.0-4.4.11, 4.5.0-4.5.7, 5.0.0-5.0.3, 5.1.0
Vulnerability: Account Enumeration Brute-force
Severity: High
Date: 2026-02-03

Prediction: Patch Released

What Undercode Say:

curl -X POST https://target/login/confirm.php -d "user=guess1"
curl -X POST https://target/login/confirm.php -d "user=guess2"
for user in $(cat wordlist.txt); do curl -s -X POST $URL -d "user=$user" | grep -q "valid" && echo "Found: $user"; done

How Exploit:

Automate POST requests to confirmation endpoint. Analyze responses for differences indicating valid accounts. Use gathered list for credential brute-force.

Protection from this CVE:

Apply official patches. Implement web-application firewall (WAF) rules. Enforce strict rate limiting.

Impact:

User account compromise. Credential theft. Unauthorized access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top