CVE-2025-67848
Authentication Bypass in Moodle LTI Allows Suspended User Access
Publication date: 2026-02-03
Last updated on: 2026-02-11
Assigner: Fedora Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| moodle | moodle | From 4.4.0 (inc) to 4.4.11 (exc) |
| moodle | moodle | From 4.5.0 (inc) to 4.5.8 (exc) |
| moodle | moodle | From 5.0.0 (inc) to 5.0.4 (exc) |
| moodle | moodle | 5.1.0 |
| moodle | moodle | to 4.1.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-280 | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, it is important to update Moodle to a version where the LTI authentication handlers properly enforce user suspension status.
Since the vulnerability allows suspended users to bypass suspension via LTI authentication, immediate mitigation involves applying patches or updates provided by Moodle or your Linux distribution that address this authentication bypass.
Additionally, reviewing and restricting LTI provider access or disabling LTI authentication temporarily until a fix is applied can reduce risk.
Can you explain this vulnerability to me?
This vulnerability is an authentication bypass in Moodle's Learning Tools Interoperability (LTI) Provider. It occurs because the LTI authentication handlers do not properly enforce the suspension status of users. As a result, users who have been suspended can still authenticate and gain unauthorized access to the Moodle system. [1]
How can this vulnerability impact me? :
This vulnerability can allow suspended users to bypass restrictions and access the Moodle system. This unauthorized access can lead to information disclosure or other unauthorized actions by users who should be restricted, potentially compromising the security and integrity of the system. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows suspended users to bypass authentication and gain unauthorized access to the Moodle system. This unauthorized access can lead to information disclosure or other unauthorized actions.
Such unauthorized access and potential information disclosure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.