CVE-2026-54733: CWE-347: Improper Verification of Cryptographic Signature in microsoft o365-moodle
The Microsoft 365 and Microsoft Entra ID Plugins for Moodle provide Office 365 and Azure Active Directory integration for Moodle. Prior to 4.5.6, 5.0.5, and 5.1.1, the Microsoft Office 365 Integration plugin local_o365 Teams SSO endpoint sso_login.php base64-decodes a JWT payload and authenticates users from the upn claim without verifying the JWT signature, allowing an unauthenticated attacker to forge a token and obtain a Moodle session as an O365-authenticated user. This issue is fixed in versions 4.5.6, 5.0.5, and 5.1.1.
AI Analysis
Technical Summary
The vulnerability in Microsoft 365 and Microsoft Entra ID Plugins for Moodle (o365-moodle) arises from improper verification of cryptographic signatures (CWE-347) in the Teams SSO endpoint sso_login.php. Specifically, the plugin base64-decodes the JWT payload and authenticates users solely based on the upn claim without validating the JWT signature. This flaw enables unauthenticated attackers to forge tokens and impersonate Office 365 authenticated users within Moodle. The vulnerability affects versions prior to 4.5.6, 5.0.5, and 5.1.1 and has a CVSS 4.0 score of 9.3 (critical). The vulnerability is present in the plugin code, not in a cloud service component. Patches are available in the fixed versions.
Potential Impact
An attacker can bypass authentication by forging JWT tokens without a valid cryptographic signature, allowing unauthorized access to Moodle sessions as legitimate Office 365 users. This leads to a complete compromise of user accounts within Moodle integrated with Microsoft 365 and Azure Active Directory via the vulnerable plugin versions. The vulnerability is critical due to its ease of exploitation (no privileges or user interaction required) and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fix is available in Microsoft 365 and Microsoft Entra ID Plugins for Moodle versions 4.5.6, 5.0.5, and 5.1.1. Users should upgrade to one of these versions immediately to remediate the vulnerability. Since this is a plugin vulnerability, patching the affected Moodle plugin installations is necessary. There is no indication that the vendor manages remediation server-side for this plugin, so manual update is required. Patch status is confirmed by the vendor advisory information.
CVE-2026-54733: CWE-347: Improper Verification of Cryptographic Signature in microsoft o365-moodle
Description
The Microsoft 365 and Microsoft Entra ID Plugins for Moodle provide Office 365 and Azure Active Directory integration for Moodle. Prior to 4.5.6, 5.0.5, and 5.1.1, the Microsoft Office 365 Integration plugin local_o365 Teams SSO endpoint sso_login.php base64-decodes a JWT payload and authenticates users from the upn claim without verifying the JWT signature, allowing an unauthenticated attacker to forge a token and obtain a Moodle session as an O365-authenticated user. This issue is fixed in versions 4.5.6, 5.0.5, and 5.1.1.
CVSS v4.0
Score 9.3critical
Affected software
pkg:github/microsoft/o365-moodleRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Microsoft 365 and Microsoft Entra ID Plugins for Moodle (o365-moodle) arises from improper verification of cryptographic signatures (CWE-347) in the Teams SSO endpoint sso_login.php. Specifically, the plugin base64-decodes the JWT payload and authenticates users solely based on the upn claim without validating the JWT signature. This flaw enables unauthenticated attackers to forge tokens and impersonate Office 365 authenticated users within Moodle. The vulnerability affects versions prior to 4.5.6, 5.0.5, and 5.1.1 and has a CVSS 4.0 score of 9.3 (critical). The vulnerability is present in the plugin code, not in a cloud service component. Patches are available in the fixed versions.
Potential Impact
An attacker can bypass authentication by forging JWT tokens without a valid cryptographic signature, allowing unauthorized access to Moodle sessions as legitimate Office 365 users. This leads to a complete compromise of user accounts within Moodle integrated with Microsoft 365 and Azure Active Directory via the vulnerable plugin versions. The vulnerability is critical due to its ease of exploitation (no privileges or user interaction required) and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fix is available in Microsoft 365 and Microsoft Entra ID Plugins for Moodle versions 4.5.6, 5.0.5, and 5.1.1. Users should upgrade to one of these versions immediately to remediate the vulnerability. Since this is a plugin vulnerability, patching the affected Moodle plugin installations is necessary. There is no indication that the vendor manages remediation server-side for this plugin, so manual update is required. Patch status is confirmed by the vendor advisory information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-15T23:07:33.232Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a58f9c068715ace434105d5
Added to database: 07/16/2026, 15:33:20 UTC
Last enriched: 07/16/2026, 15:48:19 UTC
Last updated: 07/16/2026, 16:18:14 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.