CVE-2016-7038 Moodle CVE debrief

Who should care

Moodle administrators, security teams, and application owners who rely on Moodle web service tokens for API access or integrations. It matters most where tokens are long-lived, tied to privileged accounts, or used in environments that depend on password resets to cut off access.

Technical summary

NVD rates the issue 7.3 HIGH (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps it to CWE-640. The affected set in NVD includes Moodle 2.x and 3.x releases through 2.7.15, 2.8.0-2.8.12, 2.9.0-2.9.7, 3.0.0-3.0.5, and 3.1.0-3.1.1. The core problem is that password changes do not revoke existing web service tokens, so token-based access can outlive the user credential change that should have ended it.

Defensive priority

High. Prioritize this anywhere Moodle web service tokens are in use, because password resets do not reliably terminate existing token access on affected versions.

Recommended defensive actions

• Upgrade Moodle to a vendor-fixed release referenced by the Moodle advisory linked in NVD.
• Review and revoke active web service tokens for accounts that may have been exposed, especially after password changes or forced resets.
• Rotate credentials and reissue tokens for sensitive integrations, and verify that token invalidation is part of your account-remediation workflow.
• Audit logs for continued API activity from tokens that should have been retired.
• Restrict token scope and reduce token lifetime where your deployment and governance model allow it.

Evidence notes

The supplied corpus shows the CVE published on 2017-01-20 and last modified in NVD on 2026-05-13. NVD lists the severity, CVSS vector, and CWE-640, and it references a Moodle forum advisory/patch discussion plus a SecurityFocus BID entry. The corpus does not provide a fixed version number, so remediation guidance is limited to the vendor advisory reference and general defensive token management.

Official resources