CVE-2024-43426 Overview
CVE-2024-43426 is an arbitrary file read vulnerability affecting Moodle deployments where pdfTeX is available, such as environments with TeX Live installed. The flaw stems from insufficient sanitization in the TeX notation filter, allowing attackers to abuse pdfTeX file handling to read files accessible to the web server process. The issue is tracked as [CWE-1287] (Improper Validation of Specified Type of Input) and impacts confidentiality of server-side files. Red Hat and Moodle have published advisories describing the impact and remediation guidance.
Critical Impact
Unauthenticated network attackers can read arbitrary files from Moodle servers with pdfTeX/TeX Live installed, exposing sensitive configuration and user data.
Affected Products
- Moodle (versions using the TeX notation filter with pdfTeX/TeX Live present)
- Deployments bundling pdfTeX from TeX Live distributions
- Red Hat ecosystems shipping affected Moodle packages
Discovery Timeline
- 2024-11-07 - CVE-2024-43426 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-43426
Vulnerability Analysis
Moodle includes a TeX notation filter that renders mathematical expressions submitted by users. When pdfTeX from TeX Live is installed on the host, the filter invokes it to compile TeX input into rendered output. The filter fails to sufficiently sanitize input passed to pdfTeX, allowing attackers to embed TeX primitives that trigger file inclusion or reading operations.
pdfTeX supports macros such as \input, \openin, and \read that reference filesystem paths during compilation. Attackers who submit crafted TeX notation through any Moodle interface honoring the filter can coerce pdfTeX into reading arbitrary files readable by the Moodle service account. The attack requires network access to a Moodle endpoint that renders TeX notation and does not require authentication in configurations where anonymous content submission is allowed.
Root Cause
The root cause is missing input sanitization in the TeX notation filter before content is passed to the pdfTeX executable. TeX is a fully programmable typesetting system, and unsanitized input allows attackers to invoke file access primitives instead of pure mathematical expressions. This maps to [CWE-1287], where inputs are not validated against the expected type or grammar for their consumer.
Attack Vector
The attack is delivered over the network by submitting crafted TeX notation to any Moodle feature that renders it, such as forum posts, quiz questions, or assignments. When Moodle passes the payload to pdfTeX, the interpreter processes file-reading directives and returns file contents inside the rendered PDF or associated log data. Exploitation requires no user interaction beyond normal rendering of the malicious content.
The vulnerability manifests during TeX compilation when file-access primitives are executed. See the Red Hat Bug Report #2304254 and Moodle Forum Discussion #461194 for technical details.
Detection Methods for CVE-2024-43426
Indicators of Compromise
- Unusual TeX notation in forum posts, quizzes, or assignments containing \input, \openin, \read, or references to system paths like /etc/passwd or Moodle config.php.
- pdfTeX log files (.log) referencing files outside the expected TeX working directory or Moodle data root.
- Unexpected pdflatex or pdftex child processes spawned by the Moodle web server user reading sensitive filesystem locations.
Detection Strategies
- Inspect Moodle filter input for TeX primitives associated with file I/O and alert on submissions containing \input{, \openin, or absolute paths.
- Monitor process creation events for pdftex invoked by the web server account and correlate with file access outside the TeX cache directory.
- Review Moodle logs for TeX filter rendering activity from unauthenticated or low-privilege users at unusual volumes.
Monitoring Recommendations
- Enable auditd or equivalent file access auditing on /etc, Moodle config.php, and other sensitive paths readable by the web service account.
- Forward web application and pdfTeX process logs to a centralized log platform and alert on file-read primitives inside TeX payloads.
- Track outbound rendered PDFs generated by the TeX filter for anomalous size or content indicative of exfiltration.
How to Mitigate CVE-2024-43426
Immediate Actions Required
- Apply the Moodle security update referenced in the Moodle Forum Discussion #461194 advisory.
- Disable the TeX notation filter in Moodle site administration until patched if pdfTeX is present on the host.
- Restrict filesystem permissions for the Moodle web service account so it cannot read sensitive files such as /etc/passwd or credentials.
Patch Information
Upgrade Moodle to a fixed release as documented by the vendor in the Moodle Forum Discussion #461194. Downstream distributions should track the Red Hat Bug Report #2304254 for package updates.
Workarounds
- Disable the TeX notation filter under Site administration → Plugins → Filters until the patch is applied.
- Remove or restrict execution of pdftex and pdflatex by the Moodle web server user where TeX rendering is not required.
- Configure openin_any = p (paranoid) in the site texmf.cnf to prevent pdfTeX from reading files outside the current working directory.
# Restrict pdfTeX file input scope in texmf.cnf
openin_any = p
openout_any = p
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

