Skip to main content

Chamilo Lms CVE-2026-33141

| EUVDEUVD-2026-21535 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-10 security-advisories@github.com
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.0-RC.3
EUVD ID Assigned
Apr 10, 2026 - 18:22 euvd
EUVD-2026-21535
Analysis Generated
Apr 10, 2026 - 18:22 vuln.today
CVE Published
Apr 10, 2026 - 18:16 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress, certificates, and gradebook scores for any course, without enrollment or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3.

AnalysisAI

Insecure Direct Object Reference in Chamilo LMS REST API stats endpoint allows authenticated low-privilege users to read unauthorized access to any user's learning progress, certificates, and gradebook scores across all courses prior to version 2.0.0-RC.3. The vulnerability requires only valid user credentials (accessible to students with ROLE_USER) and network access, enabling horizontal privilege escalation without administrative intervention or system compromise. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

Chamilo LMS implements a REST API endpoint for retrieving statistics and academic records. The stats endpoint fails to enforce proper authorization checks at the object level, implementing only authentication (user login requirement) without verifying that the requesting user has legitimate access to the specific user record or course enrollment being queried. This is classified as Insecure Direct Object Reference (CWE-639: Authorization Through User-Controlled Key), where the API accepts user-supplied identifiers (user IDs, course IDs) without validating the requester's relationship to those resources. Any authenticated user can manipulate API request parameters to enumerate and retrieve learning progress data, certificate status, and gradebook entries belonging to other users. The vulnerability exists in versions prior to 2.0.0-RC.3 and affects the REST API authentication layer rather than the core LMS application.

RemediationAI

Upgrade Chamilo LMS to version 2.0.0-RC.3 or later immediately. The upstream fix was applied via commit 792ba05953470ca971617fe2674ed14c1479fa80 and is included in the patched release. Organizations unable to upgrade immediately should restrict REST API access at the application or network level, disable the stats endpoint if not critical to operations, or implement additional authorization checks in API middleware to verify user enrollment or supervisory relationship before serving academic records. Review API access logs for anomalous patterns of cross-user data requests. See https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-j2pr-2r5w-jrpj for complete remediation guidance and configuration recommendations.

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

CVE-2026-33141 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy