Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
9DescriptionGitHub Advisory
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks. The backend trusts the user-supplied input for the user field and performs no server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This enables unauthorized manipulation of user-course relationships, potentially granting unintended access to course materials, bypassing enrollment controls, and compromising platform integrity. This issue has been fixed in version 2.0.0-RC.3.
AnalysisAI
Insecure Direct Object Reference in Chamilo LMS /api/course_rel_users endpoint allows authenticated attackers to enroll arbitrary users into any course without authorization (CVSS 7.1, High Integrity impact). Affects all versions prior to 2.0.0-RC.3. The vulnerability enables authenticated users to manipulate user-course relationships by modifying the user parameter in API requests, bypassing enrollment controls entirely. No public exploit code identified at time of analysis, though the attack v
Technical ContextAI
This vulnerability exploits an Insecure Direct Object Reference (CWE-639) in Chamilo LMS's REST API course enrollment functionality. The /api/course_rel_users endpoint accepts a user field in the request body to specify which user should be enrolled in a course. The backend implementation fails to implement server-side authorization checks to verify that the authenticated requester either owns the specified user ID or possesses delegated permissions to modify that user's course enrollments. This represents a classic broken object-level authorization (BOLA) vulnerability common in REST APIs where object identifiers are accepted from client input without validating the requester's relationship to those objects. The API trusts client-supplied user IDs directly, allowing horizontal privilege escalation where one authenticated user can modify another user's course memberships. Chamilo LMS is an open-source PHP-based learning management system used primarily in educational institutions, with this vulnerability residing in the version 2.x codebase prior to release candidate 3.
RemediationAI
Upgrade immediately to Chamilo LMS version 2.0.0-RC.3 or later, available at https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3. This release includes authorization validation fixes that verify the authenticated user has proper permissions before modifying user-course relationships through the /api/course_rel_users endpoint. Organizations unable to upgrade immediately should implement compensating controls including API gateway-level request filtering to restrict access to the /api/course_rel_users endpoint to only administrative roles, enhanced logging and monitoring of enrollment API calls to detect anomalous patterns where single users are enrolling multiple other user accounts, and temporary disabling of self-service enrollment features if the API is exposed to untrusted authenticated users. Review course enrollment audit logs for the period prior to patching to identify any unauthorized enrollments that may have occurred, particularly focusing on high-value or restricted courses. Consult the vendor security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-x373-8j9j-g5pj for additional context and the specific commits (2a9f060, bd2ba34, c9c30cd) that implement the authorization checks if manual backporting to older versions is required.
More in Chamilo Lms
View allChamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.
Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex
Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload
Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra
Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C
Chamilo is a learning management system. [CVSS 8.8 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi
Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit
Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22718