CVE-2025-26526: 
PHP vulnerability analysis and mitigation

CVE-2025-26526 is a security vulnerability discovered in Moodle's Feedback activities where Separate Groups mode restrictions were not properly implemented in permission checks for viewing or deleting responses. The vulnerability was discovered by Leon Stringer and disclosed on February 24, 2025. The affected versions include Moodle 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15, and earlier unsupported versions (Moodle Forum).

The vulnerability is classified with CWE-863 (Incorrect Authorization) and has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The core issue stems from insufficient permission checks in the Feedback activities module, where the system failed to factor in Separate Groups mode restrictions when controlling access to viewing and deletion of responses (NVD Database).

The vulnerability allows unauthorized access to view or delete responses in Feedback activities, bypassing the intended group-based access restrictions. This could lead to potential data exposure and unauthorized manipulation of feedback responses across different groups that should normally be separated (Moodle Forum).

The vulnerability has been fixed in Moodle versions 4.5.2, 4.4.6, 4.3.10, and 4.1.16. Organizations running affected versions should upgrade to the corresponding fixed version to mitigate this security risk. The fix can be tracked through the Moodle git repository with the reference MDL-79976 (Moodle Git).