CVE-2026-30884
Authorization Bypass in Moodle mod_customcert Allows Data Tampering
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mdjnelson | moodle_mod_customcert | 4.4.9 |
| mdjnelson | moodle_mod_customcert | 5.0.3 |
| mdjnelson | moodle_mod_customcert | to 5.0.3 (exc) |
| mdjnelson | moodle_mod_customcert | to 5.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-30884 is a critical authorization bypass vulnerability in the Moodle plugin mdjnelson/moodle-mod_customcert. It affects versions prior to 4.4.9 and 5.0.3. The flaw allows a teacher who has the mod/customcert:manage capability in any single course to read and silently overwrite certificate elements belonging to other courses within the same Moodle installation.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the core_get_fragment callback 'editelement' and the mod_customcert_save_element web service fail to verify that the supplied element ID belongs to the authorized course context. This means that a user can supply an element ID from another course and gain unauthorized access to read or modify that element."}, {'type': 'paragraph', 'content': 'Technically, the system does not confirm that the element ID is associated with the context the user is authorized to manage, enabling cross-course information disclosure and data tampering.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have significant impacts on confidentiality and integrity within a Moodle installation using the mod_customcert plugin.
- Confidentiality Impact: An attacker with teacher privileges in one course can read sensitive certificate element configurations from other courses, exposing potentially sensitive data such as certificate layout, fonts, colors, and other settings.
- Integrity Impact: The attacker can silently overwrite certificate elements in other courses, modifying text, formatting, and other properties without detection.
- Availability Impact: There is no direct denial of service, but unauthorized modifications could disrupt certificate layouts.
Because the exploit appears as normal AJAX requests and does not trigger permission errors, it may be difficult to detect.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unusual AJAX requests to the Moodle plugin endpoints that handle certificate elements, specifically requests to /lib/ajax/service.php invoking the core_get_fragment callback 'editelement' or the 'mod_customcert_save_element' web service."}, {'type': 'paragraph', 'content': 'Since the exploit involves sending POST requests with manipulated element IDs to read or overwrite certificate elements across courses, detection involves inspecting such requests for mismatched context or template IDs.'}, {'type': 'paragraph', 'content': 'However, exploits appear as normal AJAX requests and may not trigger permission errors, making detection challenging.'}, {'type': 'list_item', 'content': "Monitor web server logs for POST requests to /lib/ajax/service.php with parameters invoking 'core_get_fragment' or 'mod_customcert_save_element'."}, {'type': 'list_item', 'content': "Look for requests where the 'elementid' parameter does not belong to the authorized course context or template."}, {'type': 'list_item', 'content': "Use Moodle's logging or auditing features to track usage of the mod/customcert:manage capability and correlate with unusual certificate element access."}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the resources, but administrators can use tools like grep or log analysis scripts to filter relevant AJAX requests from web server logs.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade the mdjnelson/moodle-mod_customcert plugin to version 4.4.9 or 5.0.3 or later, where the vulnerability is fixed.
The fix enforces strict validation of the ownership of certificate elements by verifying that the element belongs to the authorized course context or template before allowing any read or write operations.
If upgrading immediately is not possible, restrict or review the assignment of the mod/customcert:manage capability to trusted users only, as any user with this capability in any course can exploit the vulnerability.
Additionally, monitor and audit usage of the mod/customcert:manage capability and related AJAX requests to detect potential exploitation attempts.