CVE-2026-30884

Critical

Published: 18 March 2026

Published

18 March 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0002 5.8th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30884 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations by verifying that the supplied elementid belongs to the teacher's authorized course context, directly preventing cross-course information disclosure and data tampering.

AC-6 Least Privilege partial match

prevent

Applies least privilege to restrict mod/customcert:manage capability strictly to the specific course context, mitigating unauthorized access to elements in other courses.

SI-10 Information Input Validation partial match

prevent

Validates the elementid input parameter in the editelement callback and mod_customcert_save_element web service against the authorized context, blocking invalid cross-course operations.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213 Data from Information Repositories Collection

Adversaries may leverage information repositories to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Authorization bypass (IDOR) in public-facing Moodle web services directly enables exploitation of T1190 for initial access, T1213 for unauthorized cross-course data retrieval from certificate repositories, and T1565.001 for tampering with stored certificate elements.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course can read and silently overwrite certificate elements belonging…

to any other course in the Moodle installation. The `core_get_fragment` callback `editelement` and the `mod_customcert_save_element` web service both fail to verify that the supplied `elementid` belongs to the authorized context, enabling cross-course information disclosure and data tampering. Versions 4.4.9 and 5.0.3 fix the issue.

Deeper analysisAI

CVE-2026-30884 is a vulnerability in the mdjnelson/moodle-mod_customcert Moodle plugin, which enables dynamically generated certificates with web-based customization. In versions prior to 4.4.9 and 5.0.3, the core_get_fragment callback editelement and the mod_customcert_save_element web service fail to verify that the supplied elementid belongs to the authorized course context. This authorization bypass, tied to CWE-639, allows cross-course access to certificate elements and carries a CVSS v3.1 score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

An authenticated teacher with the mod/customcert:manage capability in any single course can exploit this remotely without user interaction. They can read sensitive certificate elements from other courses, disclosing confidential information, and silently overwrite those elements, tampering with data across the Moodle installation.

The vulnerability is addressed in plugin versions 4.4.9 and 5.0.3. Additional mitigation details appear in the GitHub security advisory at GHSA-8pjr-j7r4-ccjx, along with the fixing commits a1494a80fb953f187f7888a7394cbf9d13c28468 and ddc8f01f1e19fb61202f6013a38ef757486d3ba0.

Details

CWE(s): CWE-639

CVEs Like This One

CVE-2026-24901Shared CWE-639

CVE-2026-25564Shared CWE-639

CVE-2026-1947Shared CWE-639

CVE-2024-50689Shared CWE-639

CVE-2026-28696Shared CWE-639

CVE-2026-26078Shared CWE-639

CVE-2026-33702Shared CWE-639

CVE-2026-40591Shared CWE-639

CVE-2026-29189Shared CWE-639

CVE-2026-4896Shared CWE-639

References

https://github.com/mdjnelson/moodle-mod_customcert/commit/a1494a80fb953f187f7888a7394cbf9d13c28468
security-advisories@github.com
https://github.com/mdjnelson/moodle-mod_customcert/commit/ddc8f01f1e19fb61202f6013a38ef757486d3ba0
security-advisories@github.com
https://github.com/mdjnelson/moodle-mod_customcert/security/advisories/GHSA-8pjr-j7r4-ccjx
security-advisories@github.com