Skip to main content

Chamilo Lms CVE-2026-33736

| EUVDEUVD-2026-21567 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-10 security-advisories@github.com
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.0-RC.3
EUVD ID Assigned
Apr 10, 2026 - 19:22 euvd
EUVD-2026-21567
Analysis Generated
Apr 10, 2026 - 19:22 vuln.today
CVE Published
Apr 10, 2026 - 19:16 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3.

AnalysisAI

Chamilo LMS versions prior to 2.0.0-RC.3 allow authenticated students and lower-privileged users to enumerate all platform users and extract sensitive personal information (email addresses, phone numbers, role assignments) through an unauthenticated API endpoint (GET /api/users), enabling reconnaissance of administrator accounts and organizational structure. The vulnerability affects any installation with user accounts below administrative level and is fixed in version 2.0.0-RC.3.

Technical ContextAI

The vulnerability stems from improper access control on the Chamilo LMS REST API endpoint /api/users (CWE-639: Authorization through User-Controlled Key). The API fails to enforce role-based access controls, allowing authenticated users with ROLE_STUDENT or equivalent non-administrative roles to retrieve complete user directory information intended only for administrators. This is a classic horizontal privilege escalation in API design where insufficient server-side authorization checks permit lower-privileged users to access resources beyond their intended scope. The API endpoint returns structured user objects containing email, phone, roles, and account metadata without filtering based on the authenticated user's actual permissions.

RemediationAI

Upgrade Chamilo LMS to version 2.0.0-RC.3 or later, which implements proper role-based access controls on the /api/users endpoint. For organizations unable to upgrade immediately, implement network-level restrictions on the /api/users endpoint (WAF rules, reverse proxy filtering) to require administrative IP whitelisting, and disable API access for non-administrative roles at the application configuration level if such options exist. Review the GitHub commit 1739371ce1c562c007c7f5d53e6d65b7a4ff4109 for implementation details of the authorization fix. Consult the official security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fp2p-fj6c-x3x9 for deployment guidance.

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

CVE-2026-33736 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy