CVE-2025-26526 – This vulnerability allows users to bypass Separ... (How to Fix)

Q: What is the severity of CVE-2025-26526?

CVE-2025-26526 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows users to bypass Separate Groups mode restrictions in Moodle's Feedback activities, enabling unauthorized viewing or deletion of responses. It affects Moodle installations using Feedback activities with Separate Groups mode configured. Users with appropriate permissions but not in the same group can exploit this flaw.

📋 TL;DR

This vulnerability allows users to bypass Separate Groups mode restrictions in Moodle's Feedback activities, enabling unauthorized viewing or deletion of responses. It affects Moodle installations using Feedback activities with Separate Groups mode configured. Users with appropriate permissions but not in the same group can exploit this flaw.

💻 Affected Systems

Products:

Moodle

Versions: Affected versions: Moodle 4.3 to 4.3.5, 4.2 to 4.2.11, 4.1 to 4.1.14, 4.0 to 4.0.18, and earlier unsupported versions

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using Feedback activities with Separate Groups mode enabled. Requires user permissions to view/delete feedback responses.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users could view or delete sensitive feedback responses from other groups, potentially exposing confidential information or disrupting educational activities.

🟠

Likely Case

Users with Feedback activity permissions could accidentally or intentionally access responses from groups they shouldn't have access to, violating privacy expectations.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to minor privacy violations that can be detected and corrected.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user with appropriate Feedback permissions. Attack involves navigating to Feedback activities and accessing responses from other groups.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in Moodle 4.3.6, 4.2.12, 4.1.15, 4.0.19

Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=466142

Restart Required: No

Instructions:

1. Backup your Moodle installation and database. 2. Upgrade to patched version: Moodle 4.3.6, 4.2.12, 4.1.15, or 4.0.19. 3. Apply the patch from git.moodle.org if manual patching is needed. 4. Clear Moodle caches after upgrade.

🔧 Temporary Workarounds

Disable Separate Groups Mode

all

Temporarily disable Separate Groups mode for Feedback activities to prevent exploitation

Navigate to Feedback activity settings > Group mode > Select 'No groups'

Restrict Feedback Permissions

all

Temporarily remove view/delete permissions for Feedback activities from non-essential users

Navigate to Site administration > Users > Permissions > Define roles > Edit role capabilities for Feedback module

🧯 If You Can't Patch

Disable Separate Groups mode for all Feedback activities
Implement additional access logging for Feedback activities and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check Moodle version in Site administration > Notifications. If using affected versions (4.3.0-4.3.5, 4.2.0-4.2.11, 4.1.0-4.1.14, 4.0.0-4.0.18) with Feedback activities using Separate Groups mode, you are vulnerable.

Check Version:

Check Moodle version via Site administration > Notifications or examine version.php file

Verify Fix Applied:

After patching, test that users cannot view or delete Feedback responses from groups they don't belong to when Separate Groups mode is enabled.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to Feedback activities
Users accessing Feedback responses from multiple groups
Failed permission checks in Moodle logs

Network Indicators:

Increased requests to feedback modules from single users across different group contexts

SIEM Query:

source="moodle_logs" AND (event="feedback_view" OR event="feedback_delete") AND user_group_changes=true

📊 Metadata

CVE ID: CVE-2025-26526

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-863

EPSS Score: 0.16% exploit probability (36.8th percentile)

Published: February 24, 2025

Last Updated: August 8, 2025

🔗 References

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79976 Patch
https://moodle.org/mod/forum/discuss.php?d=466142 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26526, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Moodle by Moodle

Moodle by Moodle

Moodle by Moodle

Moodle by Moodle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Separate Groups Mode

Restrict Feedback Permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities