Description
A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-01-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Authorization (Unauthorized Deletion of Legal Consent)
Action: Update Version
AI Analysis

Impact

The Chamilo LMS Legal Consent Handler contains a flaw in the deleteLegal action within SocialController.php. An attacker who can tailor the userId parameter can delete the legal consent records of any user, bypassing the intended authorization checks. This results in an improper authorization vulnerability (CWE-266, CWE-285) that can compromise the integrity of consent data and potentially violate regulatory requirements. The CVSS score of 5.3 reflects a moderate severity for this type of data loss.

Affected Systems

Affected releases include Chamilo LMS versions up to 2.0.0 Beta 1, which encompasses the series of alpha releases (alpha1 through alpha5) and the first beta release. Deployments that are still running any of these pre‑beta or beta versions are exposed, while newer versions beyond 2.0.0 Beta 1 are not impacted. System administrators should verify the specific version in use against the vendor's release notes to confirm exposure.

Risk and Exploitability

The vulnerability is remote and the exploit code has been made public, yet the EPSS score is less than 1 %, indicating a low probability of widespread exploitation at present. The lack of a KEV listing means there is no known large‑scale exploitation yet, but the absence of a vendor response is concerning. An attacker with site‑wide access can use the flaw to delete legitimate legal consents; this could lead to compliance failures and data integrity problems. Immediate patching or upgrading is therefore recommended, alongside access controls and monitoring to detect unauthorized deleteLegal calls.

Generated by OpenCVE AI on April 18, 2026 at 05:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to a release beyond 2.0.0 Beta 1 where the deleteLegal authorization check has been corrected.
  • Restrict the deleteLegal endpoint to administrators only and enforce strict role‑based access controls, ensuring that only privileged users can invoke the action.
  • Enable logging of all deleteLegal requests and regularly review logs for anomalous userId parameters or repeated deletion attempts that may indicate abuse.

Generated by OpenCVE AI on April 18, 2026 at 05:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 04:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*

Tue, 20 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo
Chamilo chamilo Lms

Sun, 18 Jan 2026 00:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Chamilo LMS Legal Consent SocialController.php deleteLegal improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Chamilo Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:35:10.532Z

Reserved: 2026-01-17T08:37:17.795Z

Link: CVE-2026-1106

cve-icon Vulnrichment

Updated: 2026-01-20T17:21:19.703Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-18T01:15:51.023

Modified: 2026-02-27T03:50:02.083

Link: CVE-2026-1106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses