This vulnerability affects Mahara multi-tenanted sites where institution administrators or support administrators who also have the 'Site staff' role can masquerade as members of institutions they do not administer. This is due to insufficient access control checks on role permissions, classified under CWE-284 (Improper Access Control). The issue is present in versions before 24.04.10 and 25 before 25.04.1. The CVSS 3.1 base score is 4.7, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and impacts on confidentiality, integrity, and availability at a low level.

An attacker with institution administrator or support administrator privileges and the 'Site staff' role can impersonate users from other institutions where they lack administrative rights. This could lead to unauthorized access to user data and actions performed under the guise of another institution member, potentially violating confidentiality and integrity within the affected multi-tenanted environment. The impact is rated medium based on the CVSS score and the nature of the access control bypass.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, organizations should review and restrict the assignment of the 'Site staff' role combined with institution administrator privileges to minimize risk. Monitoring role assignments and limiting multi-tenancy administrative privileges may reduce exposure.