CVE-2026-54733
Microsoft · O365-Moodle
The Microsoft 365 Integration plugin for Moodle fails to verify JWT signatures in the Teams SSO endpoint, allowing unauthenticated attackers to forge session tokens.
Executive summary
An authentication bypass vulnerability in the Microsoft 365 Integration plugin for Moodle allows unauthenticated attackers to impersonate any user, posing a critical risk to system integrity.
Vulnerability
This flaw involves improper verification of cryptographic signatures within the local_o365 Teams SSO endpoint. An unauthenticated attacker can supply a crafted JWT payload to the sso_login.php script to obtain a valid Moodle session as an arbitrary user.
Business impact
Successful exploitation grants an attacker full access to a victim's Moodle account without requiring credentials. Given the CVSS score of 9.3, this represents a critical risk that could lead to unauthorized data access, administrative privilege escalation, and significant reputational damage to the institution.
Remediation
Immediate Action: Update the Microsoft Office 365 Integration plugin to versions 4.5.6, 5.0.5, or 5.1.1 immediately.
Proactive Monitoring: Audit Moodle authentication logs for unexpected logins via the sso_login.php endpoint or unusual session activity associated with high privilege accounts.
Compensating Controls: Restrict access to the sso_login.php endpoint via Web Application Firewall rules if immediate patching is not feasible.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability is critical because it permits total account takeover without user interaction. Administrators must prioritize updating the Moodle plugin to the specified secure versions to eliminate this authentication bypass vector.