SB2026032565 - Multiple vulnerabilities in Moodle
Published: March 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2025-62393)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to insufficient handling of course access checks in a course overview function. A remote user can gain access to sensitive information.
2) Improper Authentication (CVE-ID: CVE-2025-62398)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to incorrect handling of some endpoints during login. A remote user can bypass the second factor of multi-factor authentication.
3) Information Exposure Through an Error Message (CVE-ID: CVE-2025-62397)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to inconsistent handling of valid and non-existent course IDs within the router. A remote attacker can determine valid course IDs.
4) Exposure of Information Through Directory Listing (CVE-ID: CVE-2025-62396)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect error handling in the routing system. A remote attacker can gain unauthorized access to sensitive information on the system.
5) Improper access control (CVE-ID: CVE-2025-62395)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to external cohort search service method leaks system cohort data. A remote user can bypass implemented security restrictions and gain unauthorized access to sensitive information.
6) Incorrect authorization (CVE-ID: CVE-2025-62394)
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to insufficient enrolment checks. A remote user with inactive enrolment in the course can gain access to quiz notifications.
7) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-54869)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to allocation of resources without limits or throttling in the upstream FPDI library. A remote attacker can cause a denial of service condition on the target system.
Remediation
Install update from vendor's website.
References
- https://moodle.org/mod/forum/discuss.php?d=470381
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-86426&type=commits
- https://moodle.org/mod/forum/discuss.php?d=470387
- https://moodle.org/mod/forum/discuss.php?d=470386
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-86335&type=commits
- https://moodle.org/mod/forum/discuss.php?d=470385
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-86494&type=commits
- https://moodle.org/mod/forum/discuss.php?d=470384
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-85421&type=commits
- https://moodle.org/mod/forum/discuss.php?d=470383
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-86253&type=commits
- https://moodle.org/mod/forum/discuss.php?d=470382
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-86353&type=commits