Main Vulnerability Database Vulnerabilities #VU127560

Authorization bypass through user-controlled key in Chamilo LMS - CVE-2026-33702

Published: April 24, 2026

Vulnerability identifier: #VU127560

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33702

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Chamilo

Affected software:
Chamilo LMS

Detailed vulnerability description

The vulnerability allows a remote user to modify another user's learning path progress data.

The vulnerability exists due to authorization bypass through user-controlled key in main/lp/lp_ajax_save_item.php when handling requests that supply the uid parameter. A remote user can send a specially crafted request with another user's uid to modify another user's learning path progress data.

Authentication is required, and any enrolled user in the course can exploit the issue.

How to mitigate CVE-2026-33702

Install security update from vendor's website.

Sources

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654

Authorization bypass through user-controlled key in Chamilo LMS - CVE-2026-33702

Detailed vulnerability description

How to mitigate CVE-2026-33702

Sources

Please verify you're human