Skip to main content

Chamilo Lms CVE-2026-40291

| EUVDEUVD-2026-22772 HIGH
Improper Privilege Management (CWE-269)
2026-04-14 security-advisories@github.com
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Patch released
Apr 22, 2026 - 18:37 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:56 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0-RC.3
Analysis Generated
Apr 14, 2026 - 22:42 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:22 euvd
EUVD-2026-22772
Analysis Generated
Apr 14, 2026 - 22:22 vuln.today
CVE Published
Apr 14, 2026 - 22:16 nvd
HIGH 8.8

DescriptionGitHub Advisory

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3.

AnalysisAI

Privilege escalation in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated students to gain full administrative access via API manipulation. Low-privilege users (ROLE_STUDENT) can modify their own user record through the PUT /api/users/{id} endpoint to assign themselves ROLE_ADMIN privileges, bypassing intended access controls. The vulnerability stems from inadequate authorization checks that verify only record ownership without restricting modification of security-critical fields. With CVSS 8.8 (High) and low attack complexity requiring only basic authentication, this represents a critical access control failure in educational platforms. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though the straightforward attack vector makes exploitation trivial for malicious insiders.

Technical ContextAI

Chamilo LMS is an open-source learning management system built on API Platform, which uses Symfony security expressions for authorization. The vulnerability resides in the API Platform security configuration for the User entity's PUT endpoint. The security expression is_granted('EDIT', object) performs ownership validation but fails to implement attribute-level access control. The roles field is improperly included in the writable serialization group, allowing authenticated users to modify their own role assignments through standard HTTP PUT requests. This represents a classic example of CWE-269 (Improper Privilege Management), where the application fails to properly validate authorization for privilege-modifying operations. The API Platform framework's declarative security model relies on developers explicitly restricting access to sensitive fields, which was not implemented for the roles attribute. The vulnerability specifically affects the /api/users/{id} REST endpoint where {id} can be the authenticated user's own identifier.

RemediationAI

Immediately upgrade to Chamilo LMS version 2.0.0-RC.3 or later, which contains fixes that properly restrict modification of the roles field through API endpoints. The patched release is available at https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3. Organizations unable to immediately upgrade should implement compensating controls including restricting network access to the /api/users/ endpoint to trusted administrative networks only, implementing web application firewall rules to block PUT requests to /api/users/{id} containing roles field modifications, and conducting immediate audits of user role assignments to identify any unauthorized privilege escalations that may have already occurred. Review application logs for suspicious PUT requests to the users API endpoint, particularly those originating from student accounts. After upgrading, verify that the roles field is no longer writable through the API by non-administrative users and consider implementing additional monitoring for privilege changes. Consult the GitHub security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x for additional vendor guidance.

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

CVE-2026-40291 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy