Platform
php
Component
moodle/moodle
Fixed in
4.5.9
5.0.5
5.1.2
5.1.2
CVE-2026-26045 is a Remote Code Execution (RCE) vulnerability discovered in Moodle’s backup and restore functionality. An attacker can exploit this flaw by crafting and restoring a malicious backup file, potentially leading to full compromise of the Moodle server. This vulnerability affects Moodle versions up to and including 5.1.1, and a fix is available in version 5.1.2.
The impact of CVE-2026-26045 is significant due to the potential for complete server takeover. An attacker who can successfully restore a malicious backup file gains the ability to execute arbitrary code on the Moodle server. This could involve installing malware, stealing sensitive data (user credentials, course content, database information), or using the compromised server as a launchpad for further attacks within the network. The vulnerability requires authenticated access, meaning the attacker needs valid login credentials to a privileged Moodle user account to initiate the restore process. Given Moodle's widespread use in educational institutions and organizations, the potential blast radius is substantial.
CVE-2026-26045 was publicly disclosed on 2026-02-21. The vulnerability's impact and the requirement for authenticated access suggest a moderate exploitation probability. No public proof-of-concept (PoC) code has been released as of this writing, but the potential for RCE makes it a high-priority vulnerability to address. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-26045 is to immediately upgrade Moodle to version 5.1.2 or later. If upgrading is not immediately feasible, restrict access to the backup and restore functionality to only trusted administrators. Implement strict file validation and sanitization procedures for all uploaded backup files. Consider using a Web Application Firewall (WAF) to detect and block suspicious backup file uploads or restore requests. Monitor Moodle logs for unusual activity related to backup and restore operations. After upgrading, confirm the fix by attempting to restore a test backup file and verifying that no unexpected code execution occurs.
Update Moodle to the latest available version (4.5.9, 5.0.5 or 5.1.2, or higher) to fix the vulnerability. This will prevent remote code execution when restoring malicious backup files. The update should be performed by a system administrator.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26045 is a Remote Code Execution vulnerability in Moodle’s backup and restore functionality, allowing attackers to execute code on the server if they can restore a malicious backup file. It has a CVSS score of 7.2 (HIGH).
You are affected if you are running Moodle versions 5.1.1 or earlier. Upgrade to 5.1.2 or later to mitigate the vulnerability.
The recommended fix is to upgrade Moodle to version 5.1.2 or later. If immediate upgrading is not possible, restrict access to backup/restore and implement file validation.
While no active exploitation has been publicly confirmed, the potential for RCE makes it a high-priority vulnerability. Monitor your systems closely.
Refer to the official Moodle security advisory for detailed information and updates: [https://security.moodle.org/mod/showcontent?content=340](https://security.moodle.org/mod/showcontent?content=340)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.