CVE-2026-54733
Received
Received - Intake
Microsoft 365 Plugin for Moodle JWT Signature Bypass
Vulnerability report for CVE-2026-54733, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-16
Last updated on: 2026-07-16
Assigner: GitHub, Inc.
Description
Description
The Microsoft 365 and Microsoft Entra ID Plugins for Moodle provide Office 365 and Azure Active Directory integration for Moodle. Prior to 4.5.6, 5.0.5, and 5.1.1, the Microsoft Office 365 Integration plugin local_o365 Teams SSO endpoint sso_login.php base64-decodes a JWT payload and authenticates users from the upn claim without verifying the JWT signature, allowing an unauthenticated attacker to forge a token and obtain a Moodle session as an O365-authenticated user. This issue is fixed in versions 4.5.6, 5.0.5, and 5.1.1.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | o365_moodle | 4.5.6 |
| microsoft | o365_moodle | 5.0.5 |
| microsoft | o365_moodle | 5.1.1 |
| microsoft | office_365_integration | to 5.1.1 (exc) |
| microsoft | o365_moodle | to 5.1.1 (exc) |
| microsoft | repository_office365 | to 5.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |