Authorization bypass through user-controlled key in Chamilo LMS - CVE-2026-33141
Published: April 24, 2026
Vulnerability identifier: #VU127566
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33141
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Chamilo
Affected software:
Chamilo LMS
Chamilo LMS
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key in the REST API stats endpoint when handling GET requests for user and course statistics. A remote user can request statistics for arbitrary user IDs and course IDs to disclose sensitive information.
The issue affects learning progress, certificates, and gradebook scores, and does not require enrollment or a supervisory relationship to access the requested records.
How to mitigate CVE-2026-33141
Install security update from vendor's website.