Bug 2440901 (CVE-2026-26045)

Summary: CVE-2026-26045 moodle: Moodle: Improper Validation in File Restore Functionality Leading to Remote Code Execution
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are typically available to privileged users, exploitation requires authenticated access. Successful exploitation could result in full compromise of the Moodle server.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2440902    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-19 08:45:20 UTC 
A Remote Code Execution vulnerability exists in Moodle’s file restore functionality due to insufficient validation of backup file contents during the restore process. An authenticated user with restore permissions can upload a specially crafted Moodle backup archive that may trigger execution of arbitrary PHP code when processed by the server. Successful exploitation could result in complete compromise of the Moodle instance, including unauthorized access to data, system modification, or service disruption.