Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges. This vulnerability is fixed in 1.11.38.
AnalysisAI
Privilege escalation in Chamilo LMS versions prior to 1.11.38 allows any authenticated user with a REST API key to elevate their account status from student (status=5) to teacher/course manager (status=1) by manipulating the status field through the update_user_from_username REST API endpoint. This enables unauthorized course creation and management capabilities. Authentication is required (PR:L), but once exploited, attackers gain high-integrity administrative functions within the learning management system. No public exploit identified at time of analysis.
Technical ContextAI
Root cause is improper privilege management (CWE-269) in the REST API's update_user_from_username endpoint. The API fails to validate whether the authenticated user has authorization to modify sensitive account attributes like the status field, allowing low-privileged users to perform status-changing operations reserved for administrators. Network-accessible (AV:N) with low attack complexity (AC:L).
RemediationAI
Vendor-released patch: upgrade to Chamilo LMS version 1.11.38 or later, which implements proper authorization checks on the update_user_from_username endpoint to prevent unauthorized status field modifications. The fix is available via commit 0acf8a196307c66c049f97f5ff76cf21c4a08127. Until patching, disable REST API access for untrusted users or revoke all student-level API keys. Review audit logs for unauthorized status changes (student accounts elevated to status=1). Official advisory: https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3gqc-xr75-pcpw. Verify no privilege escalation has occurred before applying the patch by auditing user status fields in the database.
More in Chamilo Lms
View allChamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.
Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex
Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload
Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra
Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C
Chamilo is a learning management system. [CVSS 8.8 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi
Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit
Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21559