EUVD-2026-21565
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Analysis
Predictable API key generation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows unauthenticated remote attackers to brute-force valid REST API keys. The md5-based generation algorithm uses a flawed random seed (rand(10000,10000) always returns 10000), reducing the keyspace to md5(timestamp + user_id*5 - 10000). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit current Chamilo deployment version (check admin dashboard or version.php) and verify REST API enablement status (API settings in configuration). Within 7 days: Immediately upgrade to Chamilo 1.11.38 or 2.0.0-RC.3 or later if available, or disable REST API endpoints via configuration if upgrade cannot be completed. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today