How to fix CVE-2026-34602?

Within 24 hours: Identify all Chamilo LMS instances and document current versions. Within 7 days: Upgrade all Chamilo installations to version 2.0.0-RC.3 or later; test in non-production environment first. Within 30 days: Audit course enrollment logs for suspicious user-course relationships created after the vulnerability disclosure date; revoke unauthorized enrollments and validate course roster accuracy.

CVE-2026-34602

EUVD-2026-22718 HIGH

2026-04-14 [email protected]

Authentication Bypass

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:56 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

patch_available

Apr 16, 2026 - 05:29 EUVD

2.0.0-RC.3

Analysis Generated

Apr 14, 2026 - 22:41 vuln.today

DescriptionNVD

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks. The backend trusts the user-supplied input for the user field and performs no server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This enables unauthorized manipulation of user-course relationships, potentially granting unintended access to course materials, bypassing enrollment controls, and compromising platform integrity. This issue has been fixed in version 2.0.0-RC.3.

AnalysisAI

Insecure Direct Object Reference in Chamilo LMS /api/course_rel_users endpoint allows authenticated attackers to enroll arbitrary users into any course without authorization (CVSS 7.1, High Integrity impact). Affects all versions prior to 2.0.0-RC.3. …

RemediationAI

Within 24 hours: Identify all Chamilo LMS instances and document current versions. Within 7 days: Upgrade all Chamilo installations to version 2.0.0-RC.3 or later; test in non-production environment first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-34602 vulnerability details – vuln.today

Back