Skip to main content

Chamilo Lms CVE-2026-34602

| EUVDEUVD-2026-22718 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-14 security-advisories@github.com
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

9
Patch released
Apr 22, 2026 - 18:46 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:56 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.0-RC.3
Analysis Generated
Apr 14, 2026 - 22:41 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:22 euvd
EUVD-2026-22718
Analysis Generated
Apr 14, 2026 - 22:22 vuln.today
CVE Published
Apr 14, 2026 - 22:16 nvd
HIGH 7.1

DescriptionGitHub Advisory

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks. The backend trusts the user-supplied input for the user field and performs no server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This enables unauthorized manipulation of user-course relationships, potentially granting unintended access to course materials, bypassing enrollment controls, and compromising platform integrity. This issue has been fixed in version 2.0.0-RC.3.

AnalysisAI

Insecure Direct Object Reference in Chamilo LMS /api/course_rel_users endpoint allows authenticated attackers to enroll arbitrary users into any course without authorization (CVSS 7.1, High Integrity impact). Affects all versions prior to 2.0.0-RC.3. The vulnerability enables authenticated users to manipulate user-course relationships by modifying the user parameter in API requests, bypassing enrollment controls entirely. No public exploit code identified at time of analysis, though the attack v

Technical ContextAI

This vulnerability exploits an Insecure Direct Object Reference (CWE-639) in Chamilo LMS's REST API course enrollment functionality. The /api/course_rel_users endpoint accepts a user field in the request body to specify which user should be enrolled in a course. The backend implementation fails to implement server-side authorization checks to verify that the authenticated requester either owns the specified user ID or possesses delegated permissions to modify that user's course enrollments. This represents a classic broken object-level authorization (BOLA) vulnerability common in REST APIs where object identifiers are accepted from client input without validating the requester's relationship to those objects. The API trusts client-supplied user IDs directly, allowing horizontal privilege escalation where one authenticated user can modify another user's course memberships. Chamilo LMS is an open-source PHP-based learning management system used primarily in educational institutions, with this vulnerability residing in the version 2.x codebase prior to release candidate 3.

RemediationAI

Upgrade immediately to Chamilo LMS version 2.0.0-RC.3 or later, available at https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3. This release includes authorization validation fixes that verify the authenticated user has proper permissions before modifying user-course relationships through the /api/course_rel_users endpoint. Organizations unable to upgrade immediately should implement compensating controls including API gateway-level request filtering to restrict access to the /api/course_rel_users endpoint to only administrative roles, enhanced logging and monitoring of enrollment API calls to detect anomalous patterns where single users are enrolling multiple other user accounts, and temporary disabling of self-service enrollment features if the API is exposed to untrusted authenticated users. Review course enrollment audit logs for the period prior to patching to identify any unauthorized enrollments that may have occurred, particularly focusing on high-value or restricted courses. Consult the vendor security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-x373-8j9j-g5pj for additional context and the specific commits (2a9f060, bd2ba34, c9c30cd) that implement the authorization checks if manual backporting to older versions is required.

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

CVE-2026-34602 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy