Moodle is vulnerable to access restriction bypass. The vulnerability exists because it does not restrict the running of functions from any external services which are not linked to the web service access token. Using this flaw, an authenticated user can run any arbitrary functions from any external service using a token intended for only one service.