External risk intelligence

Moodle Office 365 Integration Plugin Signature Verification Bypass

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-54733

The vulnerability exists in a Moodle plugin designed to provide SSO integration. Moodle instances are commonly deployed as public-facing web applications to support remote learning, and SSO login endpoints are inherently designed to be reachable over the internet to facilitate user authentication from external identity providers.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in Moodle plugins that integrate with Microsoft 365 and Microsoft Entra ID, specifically affecting the Teams Single Sign-On feature. This issue could allow an unauthenticated attacker to impersonate a legitimate user, potentially leading to unauthorized access to Moodle resources. The primary concern is to determine if your Moodle environment utilizes these specific plugins.

  • Unauthenticated users can gain Moodle access.
  • Impacts login processes for connected Microsoft accounts.
  • Confirm plugin usage; assess exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this by sending a specially crafted request to the Teams SSO login endpoint. This request bypasses signature verification, allowing the attacker to create a fake token. If successful, the attacker can gain a Moodle session impersonating an Office 365-authenticated user.

  • No specific access required.
  • Forge token via Teams SSO endpoint.
  • Impersonate authenticated Moodle user.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker could gain unauthorized Moodle session access by forging a token, impersonating an Office 365 authenticated user. This could affect Moodle's integrity and any data or services accessed through it, given the plugin's role in authentication and integration with Microsoft 365 and Microsoft Entra ID.

  • Moodle user sessions and integrated services.
  • Forged token sent to the SSO endpoint.
  • Unauthorized access to user data or services.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the Microsoft 365 and Microsoft Entra ID Plugins for Moodle, affecting organizations that use these plugins for Office 365 and Azure Active Directory integration. The Moodle platform owner or the designated application administrators are likely responsible for assessing and remediating this issue. The first practical step is to identify all Moodle instances utilizing these plugins, confirm their reachability and business criticality, and then coordinate with the vendor or internal teams to plan for applying the necessary updates.

  • Identify plugin owners and scope.
  • Verify Moodle instances and exposure.
  • Plan remediation through vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Microsoft 365 and Microsoft Entra ID plugin for Moodle?

It is an add-on for the Moodle learning management system that enables Single Sign-On (SSO) and data synchronization with Microsoft 365 and Azure Active Directory. By using this integration, schools and organizations allow their members to access Moodle resources using their existing Microsoft identity, simplifying the login process for students and staff while connecting Moodle's collaborative features with the broader Microsoft ecosystem.

What is the weakness in CVE-2026-54733?

This vulnerability is classified as Improper Verification of Cryptographic Signature (CWE-347). In technical terms, the plugin fails to check if the security token it receives is authentic before trusting it. Because the software does not verify the digital signature, it cannot distinguish between a legitimate token issued by Microsoft and a fake one created by an attacker, leading to unauthorized user impersonation.

How does an attacker trigger this vulnerability?

An attacker triggers this by sending a specially crafted request to the plugin's Teams SSO login endpoint. The attacker does not need to be an existing user or hold any valid credentials. Crucially, the vulnerability relies on the plugin blindly trusting the data in the request; simply visiting the site or interacting with other Moodle features does not trigger the bug—the attack must be directed specifically at the vulnerable SSO login process.

Is my Moodle instance at risk?

If you use the affected Moodle plugin, your site is at risk. Halo Surface Signal indicates that because Moodle sites are frequently exposed to the public internet to support remote learning, and because this specific SSO endpoint must be accessible to handle external authentication requests, the vulnerability is highly relevant for most deployments. If your instance is reachable from the internet, it is inherently positioned to receive these malicious requests.

What is the first step to fix this issue?

Your immediate priority is to identify every Moodle instance in your environment that has the Microsoft 365 integration installed. Once you have a complete inventory, verify the specific version number of the plugin in use. If you are running a version prior to 4.5.6, 5.0.5, or 5.1.1, you must update to one of these patched versions or newer to close the SSO bypass hole.

References