Chamilo LMS EUVD-2026-22772

| CVE-2026-40291 HIGH
Improper Privilege Management (CWE-269)
2026-04-14 [email protected]
Privilege Escalation
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:56 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0-RC.3
Analysis Generated
Apr 14, 2026 - 22:42 vuln.today

DescriptionNVD

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3.

AnalysisAI

Privilege escalation in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated students to gain full administrative access via API manipulation. Low-privilege users (ROLE_STUDENT) can modify their own user record through the PUT /api/users/{id} endpoint to assign themselves ROLE_ADMIN privileges, bypassing intended access controls. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all Chamilo LMS instances in production and determine current versions via admin console or API documentation endpoints. Within 7 days: Apply vendor patch to upgrade all instances to version 2.0.0-RC.3 or later; if patching is blocked by dependencies, immediately implement network segmentation restricting API access to trusted internal networks only. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-22772 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy