Executive Summary
A critical authorization bypass vulnerability (CVE-2026-30884, CVSS 9.6) has been disclosed in the popular moodle-mod_customcert plugin by mdjnelson — a widely deployed Moodle extension for creating dynamically generated certificates with customization via the browser. The flaw is classified as CWE-639: Authorization Bypass Through User-Controlled Key and allows any authenticated teacher who holds mod/customcert:manage capability in any single course to silently read and overwrite certificate elements belonging to entirely different courses on the same Moodle installation.
CVSS Score: 9.6 (Critical) | GitHub Advisory: GHSA-8pjr-j7r4-ccjx | Published: March 18, 2026
Patched versions 4.4.9 and 5.0.3 are available. Organizations running Moodle in academic, corporate training, or certification contexts should treat this as a priority remediation item.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-30884 |
| GitHub Advisory | GHSA-8pjr-j7r4-ccjx |
| CVSS Score | 9.6 (Critical) |
| CWE | CWE-639: Authorization Bypass Through User-Controlled Key |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (teacher role in any course) |
| User Interaction | None |
| Scope | Changed (cross-course) |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | None |
| Vulnerable Component | Three endpoints in lib.php and classes/external.php |
| Published | 2026-03-18 |
Affected Products
| Vendor | Product | Affected Versions | Fixed Version |
|---|---|---|---|
| mdjnelson | moodle-mod_customcert (4.x) | < 4.4.9 | 4.4.9 |
| mdjnelson | moodle-mod_customcert (5.x) | >= 5.0.0 and < 5.0.3 | 5.0.3 |
Vulnerability Details
Authorization Bypass Through User-Controlled Key (CWE-639)
CVE-2026-30884 is rooted in a fundamental access control failure across three endpoints in the moodle-mod_customcert plugin. All three endpoints accept a user-supplied elementid parameter — a sequential integer database key identifying certificate template elements — without validating that the element belongs to the requesting teacher's authorized course context.
Because Moodle certificate element IDs are sequential integers, a teacher can trivially enumerate them to discover elements owned by courses they have no legitimate access to, then read their configuration or overwrite them entirely.
Three vulnerable code paths:
core_get_fragment— theeditelementcallback inlib.phpmod_customcert_save_elementweb service — inclasses/external.phpmod_customcert_get_element_htmlweb service — inclasses/external.php
In all three cases, the elementid is trusted as supplied by the client without traversing the ownership chain to verify the element belongs to the teacher's authorized context.
Attack Flow
1. Attacker authenticates as a teacher with mod/customcert:manage
in any single course (even a low-value course)
2. Attacker enumerates elementid values (sequential integers)
via mod_customcert_get_element_html web service
3. Attacker identifies certificate elements belonging to other courses
(e.g., professional certifications, compliance certificates)
4. Attacker reads the content and configuration of those elements
(cross-course information disclosure)
5. Attacker submits crafted data via mod_customcert_save_element
using the foreign elementid to silently overwrite certificate elements
(cross-course data tampering — certificates modified without detection)Why CVSS 9.6 Is Accurate
The 9.6 score reflects the changed scope (cross-course impact):
- Low privileges — only requires teacher role in any course, not the target course
- No user interaction — fully automatable, no victim action required
- Network accessible — exploitable via standard HTTP web service calls
- Changed scope — impact extends beyond the attacker's authorized course to any course on the platform
- High CIA on target — complete read/write access to other courses' certificate elements
Deployment Context and Risk
Moodle is used by over 400 million learners globally across universities, corporate L&D platforms, government training systems, and professional certification bodies. The mod_customcert plugin is one of Moodle's most widely deployed third-party plugins, used wherever custom certificate generation is required.
| Deployment Context | Risk Level | Impact |
|---|---|---|
| Universities and colleges | Critical | Certificates for entire student body exposed to modification |
| Professional certification bodies | Critical | Credential integrity at risk; compliance certificates can be tampered |
| Corporate L&D / compliance training | High | Regulatory and compliance certificates can be forged or corrupted |
| Government training platforms | High | Sensitive training records and certificates exposed cross-course |
| Multi-tenant Moodle installations | Critical | One low-privilege teacher can access data across all tenants |
The ability to silently overwrite certificates is particularly damaging in environments where Moodle certificates serve as verifiable credentials — any modification would be undetected unless audit logs are actively reviewed.
Recommended Mitigations
1. Upgrade Immediately
# For 4.x branch: upgrade to 4.4.9
# For 5.x branch: upgrade to 5.0.3
# The fix introduces ownership chain validation:
# elementid → customcert_elements → customcert_pages
# → customcert_templates → course context
# All three endpoints now verify the element belongs
# to the teacher's authorized context before allowing access.Download updated plugin versions from the Moodle Plugins directory or the mdjnelson/moodle-mod_customcert GitHub repository.
2. Immediate Compensating Controls (If Patch Cannot Be Applied)
- Restrict
mod/customcert:manage— audit all users holding this capability and restrict it to only fully trusted administrators (Moodle Manager or Site Administrator role) - Disable the plugin — if certificate generation is not actively required, temporarily disable the plugin until patching is complete
- Audit teacher roles — review which users have teacher roles across courses, especially courses that also use
mod_customcert
3. Post-Breach Audit
| Audit Task | Priority |
|---|---|
Review Moodle event logs for mod_customcert_save_element calls with cross-course elementid values | Critical |
| Compare current certificate template elements against known-good backups | High |
Audit which teacher accounts accessed editelement fragments outside their assigned course | High |
| Review certificate generation logs for unexpected template changes | Medium |
4. Monitor for Indicators of Exploitation
| Indicator | Description |
|---|---|
Web service calls to mod_customcert_save_element or mod_customcert_get_element_html with elementid values outside the teacher's course context | Direct exploitation attempt |
core_get_fragment calls with editelement from unexpected courses | Reconnaissance or exploitation |
| Unexpected changes to certificate template elements in courses | Post-exploitation tampering |
| Teacher accounts accessing courses they are not enrolled in | Anomalous cross-course activity |
Post-Remediation Checklist
- Confirm plugin version — verify
mod/customcertis running 4.4.9 or 5.0.3 via Site Administration → Plugins → Plugin Overview - Review all certificate templates — compare current element content against backups for unauthorized changes
- Audit
mod/customcert:managecapability — ensure only administrators hold it in production - Review Moodle event logs — search for cross-course web service calls prior to patching
- Re-issue affected certificates — if tampering is found, re-generate and re-distribute affected certificates to learners
- Notify affected users — if certificate data (including learner records) was accessed across courses, assess data breach notification obligations under applicable law (FERPA, GDPR, PIPEDA, etc.)
References
- CVE-2026-30884 — NVD
- GitHub Security Advisory GHSA-8pjr-j7r4-ccjx
- Patch commit ddc8f01 — mdjnelson/moodle-mod_customcert
- CWE-639: Authorization Bypass Through User-Controlled Key — MITRE