2026-07-18 · view entry permalink →
Moodle local_o365 plugin: unverified JWT signature on the Teams SSO endpoint lets anyone authenticate as any user (CVE-2026-54733)
BSI CERT-Bund's advisory WID-SEC-2026-2400 (severity "hoch") surfaced CVE-2026-54733 in local_o365, the official Microsoft 365 / Entra ID integration plugin for Moodle, disclosed through Microsoft's own repository advisory published 2026-07-06 (GitHub Security Advisory, 2026-07-06) and surfaced in-window by BSI CERT-Bund's advisory WID-SEC-2026-2400 (2026-07-16/17, BSI CERT-Bund, 2026-07-16). The flaw (CWE-347, improper verification of cryptographic signature) sits in sso_login.php, the plugin's Microsoft Teams single-sign-on endpoint: the code base64-decoded an incoming JWT and authenticated the user from its upn (user principal name) claim alone — "the signature component was extracted but never verified. Authentication proceeded solely on the upn claim value in the unvalidated payload" (GitHub Security Advisory, 2026-07-06). The consequence is a pre-auth impersonation primitive: "an unauthenticated remote attacker who knows (or can enumerate) any O365-authenticated user's email address can forge a JWT with an arbitrary upn claim" and be logged in as that user — a site administrator included, which the advisory summarizes as effectively full site takeover. Institutional address books make the prerequisite trivial: most UPNs follow guessable naming conventions. Fixed in plugin versions 4.5.6, 5.0.5 and 5.1.1; the GitHub CNA scores it CVSS 4.0 9.3 (GitHub Security Advisory, 2026-07-06). No in-the-wild exploitation is reported by any fetched source.
The signature component was extracted but never verified. Authentication proceeded solely on the upn claim value in the unvalidated payload.
An unauthenticated remote attacker who knows (or can enumerate) any O365-authenticated user's email address can forge a JWT with an arbitrary upn claim.
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Microsoft Office 365 (Moodle Plugin) ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Benutzer zu imitieren und sich so erweiterte Berechtigungen, einschließlich Administratorzugriff, zu verschaffen.