Description
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges. This vulnerability is fixed in 1.11.38.
Published: 2026-04-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

An authenticated user with a valid REST API key can change their own user status via the update_user_from_username endpoint. This flaw allows a user who originally has the student status (status=5) to elevate to the teacher or course manager role (status=1). The result is that the user gains the ability to create and manage courses, a privilege normally reserved for higher‑level accounts. The weakness corresponds to improper authorization controls (CWE‑269).

Affected Systems

The vulnerability affects Chamilo Learning Management System from any release prior to version 1.11.38. Users of older versions using the REST API are at risk if they possess an API key, regardless of their original role.

Risk and Exploitability

The CVSS score of 7.1 indicates a high risk level. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, but the attack vector is likely through an existing authenticated REST API key. Exploitation requires only the ability to send an API request, making it easily achievable by a compromised or brute‑forced account. Once exploited, the attacker gains full access to course creation and management, compromising the integrity and availability of the LMS. The risk is significant for any organization that relies on REST API access for administrative functions.

Generated by OpenCVE AI on April 10, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chamilo LMS to version 1.11.38 or later

Generated by OpenCVE AI on April 10, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges. This vulnerability is fixed in 1.11.38.
Title Chamilo LMS has a REST API Self-Privilege Escalation (Student → Teacher)
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T14:02:07.696Z

Reserved: 2026-03-23T17:06:05.747Z

Link: CVE-2026-33706

cve-icon Vulnrichment

Updated: 2026-04-14T14:02:03.125Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T19:16:23.800

Modified: 2026-04-16T18:27:48.773

Link: CVE-2026-33706

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:59:43Z

Weaknesses