SB20260424135 - Multiple vulnerabilities in Chamilo LMS



SB20260424135 - Multiple vulnerabilities in Chamilo LMS

Published: April 24, 2026

Security Bulletin ID SB20260424135
CSH Severity
High
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 10% Medium 30% Low 60%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33736)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key in the User API endpoints when handling GET requests to /api/users and /api/users/{id}. A remote user can send crafted requests with user identifiers to disclose sensitive information.

The exposed information includes email addresses, phone numbers, and user roles, including administrator accounts.


2) Eval Injection (CVE-ID: CVE-2026-33618)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in PlatformConfigurationController::decodeSettingArray() when parsing platform settings from the database. A remote user can inject arbitrary PHP code into the settings to execute arbitrary code.

The injected code is triggered when the unauthenticated /platform-config/list route processes the catalog.course_catalog_settings value from the settings table.


3) Incorrect authorization (CVE-ID: CVE-2026-40291)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to incorrect authorization in the PUT operation of the API Platform User entity when handling PUT requests to /api/users/{id}. A remote user can modify their own roles field to escalate privileges.

The issue affects the writable roles field because the security expression only verifies record ownership.


4) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33703)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the /social-network/personal-data/{userId} endpoint when handling requests with a modified userId parameter. A remote user can send a crafted request with an arbitrary userId to disclose sensitive information.

The issue exposes personal data and API tokens of arbitrary users, including administrator accounts.


5) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-32894)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to delete any student's grade result across the platform.

The vulnerability exists due to authorization bypass through a user-controlled key in public/main/gradebook/gradebook_view_result.php when handling the delete_mark GET parameter. A remote user can modify the parameter value to delete any student's grade result across the platform.

The issue affects authenticated teachers and no ownership or course-scope verification is performed.


6) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-34602)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to enroll arbitrary users into courses.

The vulnerability exists due to improper access control in the /api/course_rel_users endpoint when handling crafted POST requests that modify the user parameter in the request body. A remote user can send a specially crafted request to enroll arbitrary users into courses.

This can manipulate user-course relationships and may expose course materials to unintended users.


7) Cross-site scripting (CVE-ID: CVE-2026-34161)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to cross-site scripting in the social post attachment upload functionality when rendering uploaded attachment content via the generated contentUrl. A remote user can upload a malicious HTML file containing JavaScript to execute arbitrary JavaScript in the victim's browser.

User interaction is required when a user accesses the malicious attachment link.


8) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-34160)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to server-side request forgery (SSRF) in the PENS plugin endpoint at public/plugin/Pens/pens.php when processing user-controlled package-url, receipt, and alerts parameters. A remote attacker can send a specially crafted request to disclose sensitive information.

In cloud environments, exploitation can reach instance metadata services and expose credentials or identity tokens.


9) Improper Authorization (CVE-ID: CVE-2026-34370)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper authorization in the notebook module when handling the editnote action with a user-supplied notebook_id parameter. A remote user can manipulate the notebook_id parameter to disclose sensitive information.

The issue affects the read path in get_note_information(), while ownership checks are present in updateNote() and delete_note().


10) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33715)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform server-side request forgery and send emails to attacker-specified destinations.

The vulnerability exists due to missing authentication for critical function in public/main/inc/ajax/install.ajax.php test_mailer action when processing a user-supplied Symfony Mailer DSN from POST data. A remote attacker can send a specially crafted request to perform server-side request forgery and send emails to attacker-specified destinations.

The affected endpoint remains accessible on fully installed instances because it does not include the authentication and installation-completed checks performed by global.inc.php.


Remediation

Install update from vendor's website.