Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Published: 2026-04-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Prevent session hijack
Action: Patch Now
AI Analysis

Impact

Chamilo LMS, a learning management system, contains a session fixation flaw in the file main/lp/aicc_hacp.php. The code accepts user-supplied parameters and assigns them directly to the PHP session ID before the system initializes. This weakness, classified as CWE‑384, allows an attacker to set a predetermined session identifier, potentially taking over a legitimate user’s session after the user accesses the vulnerable page.

Affected Systems

All deployments of Chamilo LMS running a version earlier than 1.11.38 or 2.0.0‑RC.3 are vulnerable. The flaw resides in the public‑facing aicc_hacp.php endpoint. Any installation that has not applied the recent patch remains at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity, and the EPSS score is not available, so the global exploitation probability cannot be quantified. The issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote HTTP request targeting the aicc_hacp.php endpoint where an attacker can supply a chosen session ID. If successful, the attacker would assume the victim’s privileges, compromising confidentiality, integrity, and availability of the LMS and any protected content. This assessment is inferred from the description because the exploit path is not explicitly detailed in the input.

Generated by OpenCVE AI on April 10, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Chamilo LMS to version 1.11.38 or higher, or to 2.0.0‑RC.3 or higher.
  • After upgrading, verify that the aicc_hacp.php file no longer assigns the session ID from user input.
  • If an upgrade cannot be performed immediately, block access to the aicc_hacp.php endpoint or disable the affected feature until the patch is applied.
  • Monitor audit logs for abnormal session fixation attempts and ensure session cookies have the Secure and HttpOnly flags set.

Generated by OpenCVE AI on April 10, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Title Session Fixation in Chamilo LMS
Weaknesses CWE-384
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T14:12:28.550Z

Reserved: 2026-03-10T15:10:10.655Z

Link: CVE-2026-31940

cve-icon Vulnrichment

Updated: 2026-04-14T14:12:24.534Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T18:16:41.483

Modified: 2026-04-17T21:31:36.710

Link: CVE-2026-31940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:03Z

Weaknesses