CVE-2016-5014 Moodle CVE debrief

Who should care

Moodle administrators, LMS operators, and course owners who use event monitoring or manage enrollments and course access.

Technical summary

The supplied NVD record describes a Moodle access-control flaw where a user who has been unenrolled continues to receive event monitor notifications. NVD maps the issue to CWE-200 and assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating a network-reachable issue with low complexity, no privileges required, and user interaction required. The supplied CPE entries mark Moodle 2.8.0-2.8.12, 2.9.0-2.9.6, 3.0.0-3.0.4, and 3.1.0 as vulnerable.

Defensive priority

Medium

Recommended defensive actions

• Apply the Moodle vendor patch referenced in the official Moodle advisory linked from the NVD record.
• Review event monitoring rules and confirm unenrolled users are no longer receiving course notifications.
• Audit enrollment and unenrollment workflows to verify access removal is paired with notification suppression.
• Check whether any course content or activity metadata could be exposed through notifications sent after unenrollment.
• Use the official NVD and Moodle references to confirm which deployed Moodle builds are affected in your environment.

Evidence notes

This debrief is based only on the supplied NVD/CVE corpus and linked official references. The NVD record was published on 2017-01-20 and last modified on 2026-05-13 in the supplied data. The record states that an unenrolled user still receives event monitor notifications, lists CWE-200, provides CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, and includes vulnerable CPE entries for Moodle 2.8.x, 2.9.x, 3.0.x, and 3.1.0. The record also references a Moodle vendor advisory/patch and a SecurityFocus BID entry. No KEV entry is present in the supplied enrichment.

Official resources