The vulnerability allows institution administrators or support administrators who also have the Site staff role on a multi‑tenant Mahara site to impersonate users in institutions for which they are not administrators. This enables a privileged user to masquerade as an ordinary member, bypassing ownership boundaries and potentially accessing personal data or executing actions as that member, leading to data leakage or tampering. The flaw is an access‑control oversight (CWE‑284) that permits a user with overlapping roles to exercise permissions beyond their intended scope. While the CVSS score of 4.7 indicates a medium severity, the exploitation requires prior possession of Site staff privileges, limiting the attack surface.

The flaw exists in Mahara releases before 24.04.10 and before 25.04.1. Any deployment using those releases on a multi‑tenant configuration with Site staff responsibilities is vulnerable. The affected vendors/products list is not available, but the issue targets the Mahara open‑source e‑learning platform.

The EPSS score is below 1 %, suggesting a low likelihood of exploitation in the near term, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation necessitates that the attacker already possess Site staff privileges, which could be obtained through social engineering or compromised accounts. Once in place, the attacker can locally impersonate a member of another institution by accessing the institution member interface. Given the moderate CVSS score and limited scope, the risk is moderate but warrants remediation.