CVE-2025-26526: Moodle's feedback response viewing and deletions did not respect Separate Groups mode

February 24, 2025

Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities.

References

github.com/advisories/GHSA-pxg4-xjp7-w9c5
github.com/moodle/moodle
moodle.org/mod/forum/discuss.php?d=466142
nvd.nist.gov/vuln/detail/CVE-2025-26526

Detect and mitigate CVE-2025-26526 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →