Cyber Resilience

CVE-2026-26045

HighRCE

Published: 21 February 2026

Published
21 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26045 is a high-severity Code Injection (CWE-94) vulnerability in Moodle Moodle. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-26045 is a code injection vulnerability (CWE-94) in Moodle's backup restore functionality, published on 2026-02-21. The flaw occurs because specially crafted backup files are not properly validated during processing, potentially leading to unintended execution of server-side code when a malicious backup is restored. It affects Moodle instances where backup restoration is enabled.

Exploitation requires authenticated access with privileged user permissions, as restore capabilities are typically restricted to administrators or similar roles. An attacker with such access could upload and restore a malicious backup file over the network with low complexity and no user interaction, achieving high confidentiality, integrity, and availability impacts. This could result in full compromise of the Moodle server, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H).

Red Hat advisories provide further details on the vulnerability, including mitigation and patching guidance, at https://access.redhat.com/security/cve/CVE-2026-26045, with an associated Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2440901.

EU & UK References

Vulnerability details

A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are…

more

typically available to privileged users, exploitation requires authenticated access. Successful exploitation could result in full compromise of the Moodle server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

The CVE describes a remote code injection flaw in a public-facing web application (Moodle) that accepts specially crafted backup files from authenticated privileged users. This directly enables T1190 (exploitation of a public-facing application to obtain code execution) and facilitates T1059 (arbitrary server-side command/script execution as the immediate post-exploitation effect).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-67847Same product: Moodle Moodle
CVE-2025-26533Same product: Moodle Moodle
CVE-2025-26530Same product: Moodle Moodle
CVE-2025-67850Same product: Moodle Moodle
CVE-2025-67848Same product: Moodle Moodle
CVE-2026-26046Same product: Moodle Moodle
CVE-2025-26529Same product: Moodle Moodle
CVE-2025-67853Same product: Moodle Moodle
CVE-2025-26525Same product: Moodle Moodle
CVE-2021-47857Same product: Moodle Moodle

Affected Assets

moodle
moodle
≤ 4.5.9 · 5.0.0 — 5.0.5 · 5.1.0 — 5.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of input (backup files) to block malformed content that triggers server-side code execution.

prevent

Requires mechanisms to detect and block malicious code contained in or introduced by restored backup files.

prevent

Limits restore capability to the fewest accounts necessary, reducing the population that can trigger the flawed code path.

References