Main Vulnerability Database Vulnerabilities #VU127556

Authorization bypass through user-controlled key in Chamilo LMS - CVE-2026-33736

Published: April 24, 2026

Vulnerability identifier: #VU127556

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33736

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Chamilo

Affected software:
Chamilo LMS

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key in the User API endpoints when handling GET requests to /api/users and /api/users/{id}. A remote user can send crafted requests with user identifiers to disclose sensitive information.

The exposed information includes email addresses, phone numbers, and user roles, including administrator accounts.

How to mitigate CVE-2026-33736

Install security update from vendor's website.

Sources

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fp2p-fj6c-x3x9

Authorization bypass through user-controlled key in Chamilo LMS - CVE-2026-33736

Detailed vulnerability description

How to mitigate CVE-2026-33736

Sources

Please verify you're human