CVE-2026-30884 Overview
CVE-2026-30884 is a critical Insecure Direct Object Reference (IDOR) vulnerability affecting the mdjnelson/moodle-mod_customcert plugin, a popular Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. The vulnerability allows teachers with the mod/customcert:manage capability in any single course to read and silently overwrite certificate elements belonging to any other course in the Moodle installation.
The core_get_fragment callback editelement and the mod_customcert_save_element web service both fail to verify that the supplied elementid belongs to the authorized context, enabling cross-course information disclosure and data tampering. This represents a severe authorization bypass that could compromise academic integrity across an entire Moodle installation.
Critical Impact
Teachers with limited permissions can access and modify certificate data across all courses, potentially forging certificates or exfiltrating sensitive information from any course in the system.
Affected Products
- moodle-mod_customcert versions prior to 4.4.9
- moodle-mod_customcert versions prior to 5.0.3
- Moodle installations utilizing the customcert plugin
Discovery Timeline
- 2026-03-18 - CVE-2026-30884 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-30884
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), commonly known as an Insecure Direct Object Reference (IDOR). The flaw exists in the plugin's web service endpoints and fragment callback handlers that process certificate element operations.
When a user with the mod/customcert:manage capability makes requests to edit or save certificate elements, the system accepts an elementid parameter but fails to validate whether that element belongs to a course the user is authorized to manage. This architectural oversight means the authorization check only verifies that the user has the manage capability in at least one course context, rather than verifying authorization for the specific element being accessed.
The attack surface is network-accessible with low complexity requirements. An attacker needs only low-privilege access (a teacher role with manage capability in any single course) to exploit this vulnerability. The scope is changed because exploitation affects resources beyond the vulnerable component's authorization boundary, impacting confidentiality and integrity across the entire Moodle installation.
Root Cause
The root cause is insufficient authorization validation in the core_get_fragment callback for editelement and the mod_customcert_save_element web service. Both handlers accept user-supplied elementid values without verifying that the element belongs to a certificate within the user's authorized course context. The authorization logic checks capability at the course level but doesn't bind that check to the specific resource being manipulated.
Attack Vector
An attacker exploiting this vulnerability would need to be authenticated as a teacher with mod/customcert:manage capability in at least one course. From there, the attack proceeds through network-based requests to the vulnerable web service endpoints.
The attack involves enumerating or guessing elementid values from other courses and submitting requests to either retrieve element data (information disclosure) or overwrite element configurations (data tampering). Since element IDs are typically sequential integers, enumeration is straightforward. The attacker can use the core_get_fragment callback to read certificate element configurations from any course, or use mod_customcert_save_element to modify those elements silently without triggering any authorization failures.
This cross-course access enables scenarios including exfiltrating certificate templates and student data from confidential courses, modifying certificate content to forge credentials, and tampering with academic records across the institution.
Detection Methods for CVE-2026-30884
Indicators of Compromise
- Unusual web service calls to mod_customcert_save_element with element IDs that don't belong to the requesting user's courses
- Access logs showing repeated enumeration patterns of element IDs
- Modifications to certificate elements by users who don't have direct access to the affected courses
- Moodle event logs showing core_get_fragment callbacks for editelement across course boundaries
Detection Strategies
- Monitor Moodle access logs for patterns of sequential elementid enumeration in customcert-related endpoints
- Implement log correlation to detect users accessing certificate elements outside their assigned courses
- Review Moodle event logs for cross-course certificate element modifications
- Enable verbose logging on the customcert plugin to track element access patterns
Monitoring Recommendations
- Set up alerts for web service calls to mod_customcert_save_element from users with limited course enrollments
- Implement audit logging for all certificate element read and write operations with context validation
- Consider deploying a web application firewall (WAF) rule to monitor for IDOR-style enumeration patterns
- Regularly audit user role assignments and capability distributions for the mod/customcert:manage capability
How to Mitigate CVE-2026-30884
Immediate Actions Required
- Upgrade moodle-mod_customcert to version 4.4.9 or 5.0.3 immediately
- Audit certificate elements across all courses for unauthorized modifications
- Review access logs for signs of exploitation prior to patching
- Consider temporarily restricting the mod/customcert:manage capability until patches are applied
Patch Information
The vulnerability has been fixed in moodle-mod_customcert versions 4.4.9 and 5.0.3. The security patches implement proper context validation to ensure that the supplied elementid belongs to a certificate within the user's authorized course context. Detailed information is available in the GitHub Security Advisory GHSA-8pjr-j7r4-ccjx.
The fixes can be reviewed in the following commits:
Workarounds
- Temporarily disable the customcert plugin until the patch can be applied
- Restrict the mod/customcert:manage capability to only highly trusted administrative users
- Implement network-level access controls to limit who can reach the Moodle web services
- Enable enhanced logging and monitoring to detect potential exploitation attempts while awaiting patching
# Example: Restrict customcert capability via Moodle CLI
# Review and restrict role assignments for mod/customcert:manage
php admin/cli/check_capability.php --capability=mod/customcert:manage --role=editingteacher
# Consider creating a custom role with limited scope for certificate management
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
