CVE-2025-67856 — Moodle has an authorization logic flaw

Description

A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features.

How to fix CVE-2025-67856

To remediate CVE-2025-67856, upgrade the affected package to a fixed version below.

—upgrade to 4.1.22 or later
—upgrade to 4.1.22 or later

Is CVE-2025-67856 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.1.22, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
from 0, < 4.1.22

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-67856
PATCHgithub.com/moodle/moodle
WEBaccess.redhat.com/security/cve/CVE-2025-67856
WEBbugzilla.redhat.com/show_bug.cgi?id=2423864
WEB