Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress — including score, status, completion, and time — without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Published: 2026-04-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Integrity Compromise
Action: Patch Now
AI Analysis

Impact

Chamilo LMS allows an authenticated user to alter another user’s learning path progress data such as score, status, completion, and time. This occurs because the progress‑saving endpoint accepts a user ID from the request and applies changes to that ID without validation, exposing an insecure direct object reference. The flaw can lead to deceptive records, misrepresenting a learner’s achievements.

Affected Systems

The vulnerability is present in Chamilo LMS versions prior to 1.11.38 and 2.0.0‑RC.3. Any deployment running an older main branch may be affected; this includes enterprise installations and community builds below those release thresholds.

Risk and Exploitability

With a CVSS score of 7.1, the risk is considered high. An attacker only needs to be authenticated and enrolled in a course, then modify the uid parameter in an HTTP request to overwrite another user’s progress. Because the exploit does not require elevated privileges or external setup, the attack vector is straightforward, making exploitation likely. The vulnerability is not listed in the CISA KEV catalog and no EPSS score is available, but its moderate severity and straightforward exploitation path warrant immediate attention.

Generated by OpenCVE AI on April 10, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 1.11.38 or later, or 2.0.0‑RC.3 or later.
  • If an upgrade is not yet possible, review and restrict course enrollee permissions so users cannot invoke the progress‑saving endpoint.
  • Monitor system logs for anomalous progress‑saving requests with mismatched user IDs.
  • Notify users that progress data may be unreliable if the system is running an affected version.

Generated by OpenCVE AI on April 10, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress — including score, status, completion, and time — without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Title Chamilo LMS has an Insecure Direct Object Reference (IDOR)
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:36:13.742Z

Reserved: 2026-03-23T17:06:05.746Z

Link: CVE-2026-33702

cve-icon Vulnrichment

Updated: 2026-04-13T15:24:10.856Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T19:16:23.177

Modified: 2026-04-16T18:48:21.387

Link: CVE-2026-33702

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:59:48Z

Weaknesses