Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Published: 2026-04-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Grade Deletion
Action: Apply Patch
AI Analysis

Impact

An insecure direct object reference in the gradebook result view page allows an authenticated teacher to delete any student’s grade record by manipulating the delete_mark or resultdelete GET parameters. Because the application performs no ownership or course‑scope verification, the deletion can target any user across all courses, compromising the integrity of the grading system. The vulnerability is rooted in improper null reference handling (CWE‑476) and lack of authorization checks (CWE‑639). Any successful exploitation results in permanent removal of grade data, which can affect academic assessment and reporting.

Affected Systems

The defect is present in versions of Chamilo LMS older than 1.11.38 and 2.0.0‑RC.3. Users running these legacy releases need to review their deployment and verify whether the gradebook module has been affected.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is classified as high severity. While an EPSS score is not reported, the attack requires only that the actor be a logged‑in teacher with the ability to edit URLs, a common role in organizations using Chamilo. The exploit is straightforward, involving a simple GET request modification, and does not depend on advanced techniques, making it likely to be used by malicious insiders or compromised teacher accounts.

Generated by OpenCVE AI on April 10, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 1.11.38 or later, or to 2.0.0‑RC.3 or later, if you are still using an earlier release.
  • Verify that the gradebook result view no longer accepts arbitrary student identifiers and that teachers cannot delete grades from other courses.
  • Check the Chamilo project website or security advisories for additional patches or updates that address related issues.

Generated by OpenCVE AI on April 10, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Title Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade Result
Weaknesses CWE-476
CWE-639
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:36:28.238Z

Reserved: 2026-03-16T21:03:44.422Z

Link: CVE-2026-32894

cve-icon Vulnrichment

Updated: 2026-04-13T15:24:22.702Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T18:16:42.117

Modified: 2026-04-17T21:28:56.970

Link: CVE-2026-32894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:00Z

Weaknesses