CVE-2026-54733

Microsoft · O365-Moodle

The Microsoft 365 Integration plugin for Moodle fails to verify JWT signatures in the Teams SSO endpoint, allowing unauthenticated attackers to forge session tokens.

Executive summary

An authentication bypass vulnerability in the Microsoft 365 Integration plugin for Moodle allows unauthenticated attackers to impersonate any user, posing a critical risk to system integrity.

Vulnerability

This flaw involves improper verification of cryptographic signatures within the local_o365 Teams SSO endpoint. An unauthenticated attacker can supply a crafted JWT payload to the sso_login.php script to obtain a valid Moodle session as an arbitrary user.

Business impact

Successful exploitation grants an attacker full access to a victim's Moodle account without requiring credentials. Given the CVSS score of 9.3, this represents a critical risk that could lead to unauthorized data access, administrative privilege escalation, and significant reputational damage to the institution.

Remediation

Immediate Action: Update the Microsoft Office 365 Integration plugin to versions 4.5.6, 5.0.5, or 5.1.1 immediately.

Proactive Monitoring: Audit Moodle authentication logs for unexpected logins via the sso_login.php endpoint or unusual session activity associated with high privilege accounts.

Compensating Controls: Restrict access to the sso_login.php endpoint via Web Application Firewall rules if immediate patching is not feasible.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability is critical because it permits total account takeover without user interaction. Administrators must prioritize updating the Moodle plugin to the specified secure versions to eliminate this authentication bypass vector.