CVE-2026-30884
Received Received - Intake
Authorization Bypass in Moodle mod_customcert Allows Data Tampering

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course can read and silently overwrite certificate elements belonging to any other course in the Moodle installation. The `core_get_fragment` callback `editelement` and the `mod_customcert_save_element` web service both fail to verify that the supplied `elementid` belongs to the authorized context, enabling cross-course information disclosure and data tampering. Versions 4.4.9 and 5.0.3 fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30884
EUVD
EUVD-2026-12745
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
mdjnelson moodle_mod_customcert 4.4.9
mdjnelson moodle_mod_customcert 5.0.3
mdjnelson moodle_mod_customcert to 5.0.3 (exc)
mdjnelson moodle_mod_customcert to 5.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30884 is a critical authorization bypass vulnerability in the Moodle plugin mdjnelson/moodle-mod_customcert. It affects versions prior to 4.4.9 and 5.0.3. The flaw allows a teacher who has the mod/customcert:manage capability in any single course to read and silently overwrite certificate elements belonging to other courses within the same Moodle installation.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the core_get_fragment callback 'editelement' and the mod_customcert_save_element web service fail to verify that the supplied element ID belongs to the authorized course context. This means that a user can supply an element ID from another course and gain unauthorized access to read or modify that element."}, {'type': 'paragraph', 'content': 'Technically, the system does not confirm that the element ID is associated with the context the user is authorized to manage, enabling cross-course information disclosure and data tampering.'}] [1]

Impact Analysis

This vulnerability can have significant impacts on confidentiality and integrity within a Moodle installation using the mod_customcert plugin.

  • Confidentiality Impact: An attacker with teacher privileges in one course can read sensitive certificate element configurations from other courses, exposing potentially sensitive data such as certificate layout, fonts, colors, and other settings.
  • Integrity Impact: The attacker can silently overwrite certificate elements in other courses, modifying text, formatting, and other properties without detection.
  • Availability Impact: There is no direct denial of service, but unauthorized modifications could disrupt certificate layouts.

Because the exploit appears as normal AJAX requests and does not trigger permission errors, it may be difficult to detect.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unusual AJAX requests to the Moodle plugin endpoints that handle certificate elements, specifically requests to /lib/ajax/service.php invoking the core_get_fragment callback 'editelement' or the 'mod_customcert_save_element' web service."}, {'type': 'paragraph', 'content': 'Since the exploit involves sending POST requests with manipulated element IDs to read or overwrite certificate elements across courses, detection involves inspecting such requests for mismatched context or template IDs.'}, {'type': 'paragraph', 'content': 'However, exploits appear as normal AJAX requests and may not trigger permission errors, making detection challenging.'}, {'type': 'list_item', 'content': "Monitor web server logs for POST requests to /lib/ajax/service.php with parameters invoking 'core_get_fragment' or 'mod_customcert_save_element'."}, {'type': 'list_item', 'content': "Look for requests where the 'elementid' parameter does not belong to the authorized course context or template."}, {'type': 'list_item', 'content': "Use Moodle's logging or auditing features to track usage of the mod/customcert:manage capability and correlate with unusual certificate element access."}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the resources, but administrators can use tools like grep or log analysis scripts to filter relevant AJAX requests from web server logs.'}] [1]

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the mdjnelson/moodle-mod_customcert plugin to version 4.4.9 or 5.0.3 or later, where the vulnerability is fixed.

The fix enforces strict validation of the ownership of certificate elements by verifying that the element belongs to the authorized course context or template before allowing any read or write operations.

If upgrading immediately is not possible, restrict or review the assignment of the mod/customcert:manage capability to trusted users only, as any user with this capability in any course can exploit the vulnerability.

Additionally, monitor and audit usage of the mod/customcert:manage capability and related AJAX requests to detect potential exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30884. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart