Skip to main content

Chamilo Lms CVE-2026-33708

| EUVDEUVD-2026-21563 MEDIUM
Missing Authorization (CWE-862)
2026-04-10 security-advisories@github.com
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.11.38
EUVD ID Assigned
Apr 10, 2026 - 19:22 euvd
EUVD-2026-21563
Analysis Generated
Apr 10, 2026 - 19:22 vuln.today
CVE Published
Apr 10, 2026 - 19:16 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.

AnalysisAI

Chamilo LMS REST API endpoint get_user_info_from_username fails to authorize requests, exposing personal information (email, names, user ID, active status) to any authenticated user regardless of role prior to version 1.11.38. An attacker with valid login credentials, including a student account, can enumerate and retrieve sensitive user data for any account in the system.

Technical ContextAI

The vulnerability resides in the REST API implementation of Chamilo LMS, specifically in the get_user_info_from_username endpoint. The flaw is a missing authorization check (CWE-862: Missing Authorization) that allows the endpoint to return personally identifiable information without verifying whether the requesting user has legitimate access to view that data. While the endpoint requires authentication (PR:L per CVSS vector), it performs no role-based or attribute-based access control to limit data exposure. The vulnerability affects Chamilo LMS versions prior to 1.11.38, as indicated in the GitHub commit and security advisory.

RemediationAI

Upgrade Chamilo LMS to version 1.11.38 or later immediately. This version includes the authorization fix that adds proper access control checks to the get_user_info_from_username REST API endpoint. Follow the official Chamilo LMS upgrade documentation at https://github.com/chamilo/chamilo-lms to ensure a clean transition. Until upgrade is possible, restrict API access at the network layer (firewall rules, WAF policies) to limit exposure to REST endpoints from untrusted networks, though this does not fully mitigate the vulnerability since internal or student users can still abuse the endpoint. Review API audit logs for suspicious get_user_info_from_username calls and monitor for unauthorized enumeration activity.

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

CVE-2026-33708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy