04 May 2026, 10:00

Hello,

This latest release contains two security fixes that are of high importance, depending on the functionality you have enabled on your site. We would like to thank the people who made responsible disclosures of these security issues to us.

A list of fixes is available on the 'Releases' page, accessible to subscribers. We provide fixes for Mahara 26.04.0 and Mahara 25.04. We recommend you upgrade to at least Mahara 25.04 to continue receiving security updates. Alternatively, you can purchase the Extended Security Support.

Access updates

Subscribers have two options for accessing the latest code.

Via Git

• 26.04 Git branch
• 25.04 Git branch

As downloadable package

The changes are also available on the 'Releases' page as downloadable packages under the heading 'Mahara download files...' in each respective release, which also includes a list of issues linked to their descriptions that have been fixed:

• 26.04.0
• 25.04.5

If you use the download files, make sure not to download a file called 'source code'. You want to download the files that have the compiled code as only that will come with all necessary libraries and stylesheet information.

Update information

Please see the wiki for information on updating Mahara, based on the method you use, either via the code repository (Git) or the downloadable package.

CVE information that is already publicly available

CVE-2026-32313

Vulnerability type: Improper Validation of Integrity Check Value

This fix was included as part of the SimpleSamlPhp third-party plugin security update - see https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-4v26-v6cg-g6f9 for more information.

As subscriber, we recommend you update your instance of Mahara to the latest maintenance release of the series of Mahara you are using, or if you are on an unsupported version of Mahara, upgrade to a supported one.

Thank you

The Mahara team at Catalyst