What is the CVSS score of CVE-2026-33710?

CVE-2026-33710 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Chamilo LMS are affected by CVE-2026-33710?

Chamilo LMS versions before 1.11.38 and 2.0.0-RC.3 generate predictable API keys due to a flawed random seed implementation, allowing unauthenticated attackers to brute-force valid credentials and…. A patch is available.

How to fix or mitigate CVE-2026-33710?

Within 24 hours: Inventory all Chamilo LMS deployments and identify instances running versions prior to 1.11.38 or 2.0.0-RC.3. Within 7 days: Apply vendor-released patch to upgrade to Chamilo 1.11.38 or 2.0.0-RC.3 or later across all affected systems. Within 30 days: Audit REST API access logs for suspicious activity; rotate all existing API keys; implement rate limiting and IP whitelisting on API endpoints; and require re-authentication for sensitive operations.

Chamilo LMS CVE-2026-33710

EUVD-2026-21565 HIGH

Use of Insufficiently Random Values (CWE-330)

2026-04-10 security-advisories@github.com

Information Disclosure

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 16, 2026 - 18:37 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 05:58 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

2.0.0-RC.3,1.11.38

EUVD ID Assigned

Apr 10, 2026 - 19:22 euvd

EUVD-2026-21565

Analysis Generated

Apr 10, 2026 - 19:22 vuln.today

CVE Published

Apr 10, 2026 - 19:16 nvd

HIGH 7.5

DescriptionNVD

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

AnalysisAI

Predictable API key generation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows unauthenticated remote attackers to brute-force valid REST API keys. The md5-based generation algorithm uses a flawed random seed (rand(10000,10000) always returns 10000), reducing the keyspace to md5(timestamp + user_id*5 - 10000). …

RemediationAI

Within 24 hours: Inventory all Chamilo LMS deployments and identify instances running versions prior to 1.11.38 or 2.0.0-RC.3. Within 7 days: Apply vendor-released patch to upgrade to Chamilo 1.11.38 or 2.0.0-RC.3 or later across all affected systems. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33710 vulnerability details – vuln.today

Back

Chamilo LMS CVE-2026-33710

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code