SB20260424135 - Multiple vulnerabilities in Chamilo LMS
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33736)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key in the User API endpoints when handling GET requests to /api/users and /api/users/{id}. A remote user can send crafted requests with user identifiers to disclose sensitive information.
The exposed information includes email addresses, phone numbers, and user roles, including administrator accounts.
2) Eval Injection (CVE-ID: CVE-2026-33618)
CWE-ID: CWE-95 - Eval Injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in PlatformConfigurationController::decodeSettingArray() when parsing platform settings from the database. A remote user can inject arbitrary PHP code into the settings to execute arbitrary code.
The injected code is triggered when the unauthenticated /platform-config/list route processes the catalog.course_catalog_settings value from the settings table.
3) Incorrect authorization (CVE-ID: CVE-2026-40291)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to incorrect authorization in the PUT operation of the API Platform User entity when handling PUT requests to /api/users/{id}. A remote user can modify their own roles field to escalate privileges.
The issue affects the writable roles field because the security expression only verifies record ownership.
4) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33703)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the /social-network/personal-data/{userId} endpoint when handling requests with a modified userId parameter. A remote user can send a crafted request with an arbitrary userId to disclose sensitive information.
The issue exposes personal data and API tokens of arbitrary users, including administrator accounts.
5) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-32894)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete any student's grade result across the platform.
The vulnerability exists due to authorization bypass through a user-controlled key in public/main/gradebook/gradebook_view_result.php when handling the delete_mark GET parameter. A remote user can modify the parameter value to delete any student's grade result across the platform.
The issue affects authenticated teachers and no ownership or course-scope verification is performed.
6) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-34602)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to enroll arbitrary users into courses.
The vulnerability exists due to improper access control in the /api/course_rel_users endpoint when handling crafted POST requests that modify the user parameter in the request body. A remote user can send a specially crafted request to enroll arbitrary users into courses.
This can manipulate user-course relationships and may expose course materials to unintended users.
7) Cross-site scripting (CVE-ID: CVE-2026-34161)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in the social post attachment upload functionality when rendering uploaded attachment content via the generated contentUrl. A remote user can upload a malicious HTML file containing JavaScript to execute arbitrary JavaScript in the victim's browser.
User interaction is required when a user accesses the malicious attachment link.
8) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-34160)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in the PENS plugin endpoint at public/plugin/Pens/pens.php when processing user-controlled package-url, receipt, and alerts parameters. A remote attacker can send a specially crafted request to disclose sensitive information.
In cloud environments, exploitation can reach instance metadata services and expose credentials or identity tokens.
9) Improper Authorization (CVE-ID: CVE-2026-34370)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper authorization in the notebook module when handling the editnote action with a user-supplied notebook_id parameter. A remote user can manipulate the notebook_id parameter to disclose sensitive information.
The issue affects the read path in get_note_information(), while ownership checks are present in updateNote() and delete_note().
10) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33715)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform server-side request forgery and send emails to attacker-specified destinations.
The vulnerability exists due to missing authentication for critical function in public/main/inc/ajax/install.ajax.php test_mailer action when processing a user-supplied Symfony Mailer DSN from POST data. A remote attacker can send a specially crafted request to perform server-side request forgery and send emails to attacker-specified destinations.
The affected endpoint remains accessible on fully installed instances because it does not include the authentication and installation-completed checks performed by global.inc.php.
Remediation
Install update from vendor's website.
References
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fp2p-fj6c-x3x9
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-27x6-c5c7-gpf5
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-x373-8j9j-g5pj
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-273p-jw9w-3g22
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-g2xj-4cch-j276
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fm35-2hvw-564q
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mxc9-9335-45mc