CVE-2025-67857
MEDIUMmoodle < 4.1.21 and >= 0 < 4.1.22 - Unauthenticated User Identifier Exposure in Anonymous Assignment Submission URLs
Title source: llmDescription
A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure.
References (3)
Core 3
Core References
Third Party Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2025-67857
Third Party Advisory issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2423868
Vendor Advisory
https://moodle.org/mod/forum/discuss.php?d=471307
Scores
CVSS v3
4.3
EPSS
0.0034
EPSS Percentile
25.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-201
Status
published
Products (3)
moodle/moodle
5.1.0
moodle/moodle
< 4.1.21
moodle/moodle
0 - 4.1.22Packagist
Published
Feb 03, 2026
Tracked Since
Feb 18, 2026