CVE-2025-26526 MEDIUM

CVE-2025-26526: Feedback response viewing and deletions did not respect Separate Groups mode

Vendor Moodle Project

Product moodle

Weakness CWE-863 · Incorrect authorization

Published February 24, 2025

Last update February 24, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities.

Key dates

02Disclosure timeline

February 24, 2025 CVE published

February 24, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-26526 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

Identifiers

CVE CVE-2025-26526

CWE CWE-863

CVSS 6.5 / MEDIUM

Affected versions

Vendor Moodle Project

Product moodle

Affected ≥ 4.5.0 and < 4.5.2

Vendor Moodle Project

Product moodle

Affected ≥ 4.4.0 and < 4.4.6

Vendor Moodle Project

Product moodle

Affected ≥ 4.3.0 and < 4.3.10

Vendor Moodle Project

Product moodle

Affected ≥ 4.1.0 and < 4.1.16

CVE-2025-26526: Feedback response viewing and deletions did not respect Separate Groups mode

01Description

02Disclosure timeline

03References

04Related CVE