Login Sign Up

CVE-2025-67856

5.4 MEDIUM
Authentication Bypass

📋 TL;DR

An authorization logic flaw in Moodle's badge awarding system allows users to obtain badges without proper role verification. This affects all Moodle instances with badge functionality enabled, potentially enabling unauthorized privilege escalation.

💻 Affected Systems

Products:
  • Moodle
Versions: Specific versions unknown from provided references; likely affects multiple recent versions
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires badge functionality to be enabled; most Moodle installations have this enabled by default.

📦 What is this software?

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain administrative badges or access to restricted course materials, leading to full system compromise through privilege escalation chains.

🟠

Likely Case

Unauthorized users obtain badges they shouldn't have access to, potentially gaining access to restricted course content or features.

🟢

If Mitigated

Limited to badge system only with no direct system access, though badge integrity is compromised.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated access but minimal technical skill to exploit the authorization flaw.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Moodle security advisories for specific fixed version

Vendor Advisory: https://moodle.org/security/

Restart Required: No

Instructions:

1. Check Moodle security advisory for CVE-2025-67856. 2. Update to the patched version. 3. Clear Moodle caches after update.

🔧 Temporary Workarounds

Disable Badge System

all

Temporarily disable the badge awarding functionality until patched

Navigate to Site administration > Badges > Manage badges > Disable badge system

🧯 If You Can't Patch

  • Implement strict role-based access controls and audit badge assignments regularly
  • Monitor badge awarding logs for suspicious activity and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check if badge system is enabled and test badge awarding with insufficient permissions

Check Version:

Check Moodle version in Site administration > Notifications

Verify Fix Applied:

Verify badge awarding now requires proper role permissions after update

📡 Detection & Monitoring

Log Indicators:

  • Unexpected badge awards to users without proper roles
  • Multiple badge awards in short timeframes

Network Indicators:

  • HTTP requests to badge awarding endpoints with unusual parameters

SIEM Query:

source="moodle_logs" AND (event="badge_awarded" AND NOT user_role="required_role")

📊 Metadata

CVE ID: CVE-2025-67856
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-863
EPSS Score: 0.02% exploit probability (2.6th percentile)
Published: February 3, 2026
Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67856, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)