Skip to main content

Chamilo Lms CVE-2026-33703

| EUVDEUVD-2026-21543 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-10 GitHub_M
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 16, 2026 - 18:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:58 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.0-RC.3
EUVD ID Assigned
Apr 10, 2026 - 18:45 euvd
EUVD-2026-21543
Analysis Generated
Apr 10, 2026 - 18:45 vuln.today
CVE Published
Apr 10, 2026 - 18:23 nvd
HIGH 7.1

DescriptionGitHub Advisory

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId parameter. This results in mass disclosure of sensitive user information and credentials, enabling a full platform data breach. This vulnerability is fixed in 2.0.0-RC.3.

AnalysisAI

Insecure Direct Object Reference in Chamilo LMS allows authenticated users to access complete personal data and API tokens of any user by manipulating the userId parameter in the /social-network/personal-data/{userId} endpoint. Attack requires only low-privilege authentication (PR:L) and no user interaction, enabling mass disclosure of credentials and sensitive information across the entire platform. Affects all Chamilo LMS versions prior to 2.0.0-RC.3. No public exploit identified at time of analysis.

Technical ContextAI

CWE-639 (Authorization Bypass Through User-Controlled Key) flaw in social networking module fails to validate authenticated user authorization against requested userId parameter. Missing object-level access control permits horizontal privilege escalation, exposing profile data and authentication tokens through predictable numeric user identifiers. Network-accessible (AV:N), low complexity (AC:L), no attack complexity requirements (AT:N).

RemediationAI

Vendor-released patch: upgrade to Chamilo LMS version 2.0.0-RC.3 or later, which implements proper authorization checks on the social-network personal data endpoint. Organizations unable to upgrade immediately should implement network-level access controls restricting authenticated user access to the /social-network/personal-data/ endpoint, or temporarily disable the social networking module until patching is complete. Rotate all API tokens for users whose data may have been accessed. Full advisory available at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-27x6-c5c7-gpf5

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

CVE-2026-33703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy