Skip to main content

Chamilo Lms CVE-2026-34370

| EUVDEUVD-2026-22716 MEDIUM
Improper Authorization (CWE-285)
2026-04-14 security-advisories@github.com
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 18:46 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.0-RC.3
Analysis Generated
Apr 14, 2026 - 22:43 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:22 euvd
EUVD-2026-22716
Analysis Generated
Apr 14, 2026 - 22:22 vuln.today
CVE Published
Apr 14, 2026 - 22:16 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated student to read the private course notes of any other user on the platform by manipulating the notebook_id parameter in the editnote action. The application fetches the note content using only the supplied integer ID without verifying that the requesting user owns the note, and the full title and HTML body are rendered in the edit form and returned to the attacker's browser. While ownership checks exist in the write paths (updateNote() and delete_note()), they are entirely absent from the read path (get_note_information()). This issue has been fixed in version 2.0.0-RC.3.

AnalysisAI

Chamilo LMS versions prior to 2.0.0-RC.3 allow authenticated students to read private course notes of any other user via an Insecure Direct Object Reference (IDOR) vulnerability in the notebook module's editnote action. An attacker can manipulate the notebook_id parameter to bypass ownership checks in the read path (get_note_information()), exposing note titles and HTML body content despite write-path protections existing in updateNote() and delete_note(). The vulnerability requires valid student credentials but impacts confidentiality of sensitive educational materials across the platform.

Technical ContextAI

The Chamilo LMS notebook module implements asymmetric authorization controls: ownership verification exists in write operations (updateNote and delete_note functions) but is entirely absent from the read operation (get_note_information). This represents a classic IDOR pattern (CWE-285: Improper Authorization) where the application trusts user-supplied integer IDs for direct object access without enforcing access control. The editnote action fetches and renders note content (title and HTML body) directly in the edit form based solely on the provided notebook_id parameter, failing to validate the relationship between the requesting user's identity and the note owner. The vulnerability exposes a gap in access control logic where the same resource should enforce consistent authorization across all operation types (read, write, delete).

RemediationAI

Upgrade Chamilo LMS to version 2.0.0-RC.3 or later, which includes ownership verification in the get_note_information() read path. Organizations unable to upgrade immediately should restrict access to the notebook module via application-level controls or reverse proxy rules to limit access to the editnote action to authorized user groups only. Additionally, audit access logs for suspicious notebook_id parameter enumeration patterns (sequential integer IDs across different notes) to detect exploitation attempts. Detailed patch information and upgrade instructions are available at https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3 and https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fm35-2hvw-564q.

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

CVE-2026-34370 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy