4.5.9
5.0.5
5.1.2
5.1.2
CVE-2026-26045 is a Remote Code Execution (RCE) vulnerability discovered in Moodle’s backup and restore functionality. An attacker can exploit this flaw by crafting and restoring a malicious backup file, potentially leading to full compromise of the Moodle server. This vulnerability affects Moodle versions up to and including 5.1.1, and a fix is available in version 5.1.2.
The impact of CVE-2026-26045 is significant due to the potential for complete server takeover. An attacker who can successfully restore a malicious backup file gains the ability to execute arbitrary code on the Moodle server. This could involve installing malware, stealing sensitive data (user credentials, course content, database information), or using the compromised server as a launchpad for further attacks within the network. The vulnerability requires authenticated access, meaning the attacker needs valid login credentials to a privileged Moodle user account to initiate the restore process. Given Moodle's widespread use in educational institutions and organizations, the potential blast radius is substantial.
CVE-2026-26045 was publicly disclosed on 2026-02-21. The vulnerability's impact and the requirement for authenticated access suggest a moderate exploitation probability. No public proof-of-concept (PoC) code has been released as of this writing, but the potential for RCE makes it a high-priority vulnerability to address. It is not currently listed on CISA KEV.
Educational institutions, organizations, and businesses that rely on Moodle for learning management are at risk. Specifically, deployments with weak password policies or shared administrator accounts are more vulnerable. Organizations using Moodle plugins that interact with the backup and restore functionality should also assess their risk.
• php: Examine Moodle logs for errors or unusual activity during backup and restore operations. Look for patterns indicative of code execution attempts.
grep -i 'error' /var/log/apache2/error.log | grep 'moodle'• php: Monitor file uploads to the Moodle backup directory for suspicious files. Check file extensions and content for potentially malicious code.
find /var/www/moodle/backup -type f -name '*.zip' -print0 | xargs -0 file• generic web: Monitor network traffic for unusual POST requests to Moodle's backup and restore endpoints. • generic web: Review Moodle user accounts and permissions, ensuring that only authorized personnel have access to backup and restore functionality.
disclosure
エクスプロイト状況
EPSS
0.09% (26% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-26045 is to immediately upgrade Moodle to version 5.1.2 or later. If upgrading is not immediately feasible, restrict access to the backup and restore functionality to only trusted administrators. Implement strict file validation and sanitization procedures for all uploaded backup files. Consider using a Web Application Firewall (WAF) to detect and block suspicious backup file uploads or restore requests. Monitor Moodle logs for unusual activity related to backup and restore operations. After upgrading, confirm the fix by attempting to restore a test backup file and verifying that no unexpected code execution occurs.
Actualice Moodle a la última versión disponible (4.5.9, 5.0.5 o 5.1.2, o superior) para corregir la vulnerabilidad. Esto evitará la ejecución remota de código al restaurar archivos de respaldo maliciosos. La actualización debe ser realizada por un administrador del sistema.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-26045 is a Remote Code Execution vulnerability in Moodle’s backup and restore functionality, allowing attackers to execute code on the server if they can restore a malicious backup file. It has a CVSS score of 7.2 (HIGH).
You are affected if you are running Moodle versions 5.1.1 or earlier. Upgrade to 5.1.2 or later to mitigate the vulnerability.
The recommended fix is to upgrade Moodle to version 5.1.2 or later. If immediate upgrading is not possible, restrict access to backup/restore and implement file validation.
While no active exploitation has been publicly confirmed, the potential for RCE makes it a high-priority vulnerability. Monitor your systems closely.
Refer to the official Moodle security advisory for detailed information and updates: [https://security.moodle.org/mod/showcontent?content=340](https://security.moodle.org/mod/showcontent?content=340)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。