CVE-2026-26045
Published: 21 February 2026
Summary
CVE-2026-26045 is a high-severity Code Injection (CWE-94) vulnerability in Moodle Moodle. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-26045 is a code injection vulnerability (CWE-94) in Moodle's backup restore functionality, published on 2026-02-21. The flaw occurs because specially crafted backup files are not properly validated during processing, potentially leading to unintended execution of server-side code when a malicious backup is restored. It affects Moodle instances where backup restoration is enabled.
Exploitation requires authenticated access with privileged user permissions, as restore capabilities are typically restricted to administrators or similar roles. An attacker with such access could upload and restore a malicious backup file over the network with low complexity and no user interaction, achieving high confidentiality, integrity, and availability impacts. This could result in full compromise of the Moodle server, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H).
Red Hat advisories provide further details on the vulnerability, including mitigation and patching guidance, at https://access.redhat.com/security/cve/CVE-2026-26045, with an associated Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2440901.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7390
Vulnerability details
A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are…
more
typically available to privileged users, exploitation requires authenticated access. Successful exploitation could result in full compromise of the Moodle server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote code injection flaw in a public-facing web application (Moodle) that accepts specially crafted backup files from authenticated privileged users. This directly enables T1190 (exploitation of a public-facing application to obtain code execution) and facilitates T1059 (arbitrary server-side command/script execution as the immediate post-exploitation effect).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of input (backup files) to block malformed content that triggers server-side code execution.
Requires mechanisms to detect and block malicious code contained in or introduced by restored backup files.
Limits restore capability to the fewest accounts necessary, reducing the population that can trigger the flawed code path.