CVE-2026-30884 CRITICAL

CVE-2026-30884: mdjnelson/moodle-mod_customcert Vulnerable to Authorization Bypass Through User-Controlled Key

Vendor Mdjnelson
Product moodle-mod_customcert
Weakness CWE-639 · IDOR
Published March 18, 2026
Last update March 18, 2026

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course can read and silently overwrite certificate elements belonging to any other course in the Moodle installation. The `core_get_fragment` callback `editelement` and the `mod_customcert_save_element` web service both fail to verify that the supplied `elementid` belongs to the authorized context, enabling cross-course information disclosure and data tampering. Versions 4.4.9 and 5.0.3 fix the issue.

Key dates

02Disclosure timeline

March 18, 2026 CVE published
March 18, 2026 Record updated