ctipilot.ch

Moodle local_o365 plugin JWT-signature-not-verified SSO auth bypass

cve · CVE-2026-54733 single-source

Coverage timeline
1
first 2026-07-18 → last 2026-07-18
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
3
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
Moodle local_o365 plugin (Microsoft Office 365 Integration for Moodle)

ATT&CK techniques

3 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-18/moodle-local-o365-jwt-forgery-admin-takeover-cve-2026-54733 · ATT&CK page ↗

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-18/moodle-local-o365-jwt-forgery-admin-takeover-cve-2026-54733 · ATT&CK page ↗

Persistence TA0003

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-18/moodle-local-o365-jwt-forgery-admin-takeover-cve-2026-54733 · ATT&CK page ↗

Privilege Escalation TA0004

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-18/moodle-local-o365-jwt-forgery-admin-takeover-cve-2026-54733 · ATT&CK page ↗

Stealth TA0005

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-18/moodle-local-o365-jwt-forgery-admin-takeover-cve-2026-54733 · ATT&CK page ↗

Credential Access TA0006

T1606Forge Web Credentials×1

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

Evidence: 2026-07-18/moodle-local-o365-jwt-forgery-admin-takeover-cve-2026-54733 · ATT&CK page ↗

Story timeline

  1. 2026-07-18Moodle local_o365 plugin: unverified JWT signature on the Teams SSO endpoint lets anyone authenticate as any user (CVE-2026-54733)
    trending-vulnerabilitiesThe official Microsoft 365 integration for Moodle authenticated forged JWTs — knowing a user's email was enough for full site takeover; patch 4.5.6/5.0.5/5.1.1

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • github.com1 (50%)
  • wid.cert-bund.de1 (50%)

explore in graph

Entries about Moodle local_o365 plugin JWT-signature-not-verified SSO auth bypass (1)

2026-07-18 · view entry permalink →

NOTABLECVE-2026-54733NATOA2

Moodle local_o365 plugin: unverified JWT signature on the Teams SSO endpoint lets anyone authenticate as any user (CVE-2026-54733)

BSI CERT-Bund's advisory WID-SEC-2026-2400 (severity "hoch") surfaced CVE-2026-54733 in local_o365, the official Microsoft 365 / Entra ID integration plugin for Moodle, disclosed through Microsoft's own repository advisory published 2026-07-06 (GitHub Security Advisory, 2026-07-06) and surfaced in-window by BSI CERT-Bund's advisory WID-SEC-2026-2400 (2026-07-16/17, BSI CERT-Bund, 2026-07-16). The flaw (CWE-347, improper verification of cryptographic signature) sits in sso_login.php, the plugin's Microsoft Teams single-sign-on endpoint: the code base64-decoded an incoming JWT and authenticated the user from its upn (user principal name) claim alone — "the signature component was extracted but never verified. Authentication proceeded solely on the upn claim value in the unvalidated payload" (GitHub Security Advisory, 2026-07-06). The consequence is a pre-auth impersonation primitive: "an unauthenticated remote attacker who knows (or can enumerate) any O365-authenticated user's email address can forge a JWT with an arbitrary upn claim" and be logged in as that user — a site administrator included, which the advisory summarizes as effectively full site takeover. Institutional address books make the prerequisite trivial: most UPNs follow guessable naming conventions. Fixed in plugin versions 4.5.6, 5.0.5 and 5.1.1; the GitHub CNA scores it CVSS 4.0 9.3 (GitHub Security Advisory, 2026-07-06). No in-the-wild exploitation is reported by any fetched source.

The signature component was extracted but never verified. Authentication proceeded solely on the upn claim value in the unvalidated payload.

An unauthenticated remote attacker who knows (or can enumerate) any O365-authenticated user's email address can forge a JWT with an arbitrary upn claim.

Microsoft o365-moodle GitHub Security Advisory 2026-07-06

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Microsoft Office 365 (Moodle Plugin) ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Benutzer zu imitieren und sich so erweiterte Berechtigungen, einschließlich Administratorzugriff, zu verschaffen.

BSI CERT-Bund 2026-07-16
vulnerability18 Jul 13:30Zsingle-sourceOpen finding ↗