Description
Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.
Published: 2026-04-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: PII Exposure
Action: Immediate Patch
AI Analysis

Impact

Chamilo Learning Management System fails to enforce authorization on its get_user_info_from_username REST API, allowing any authenticated user to retrieve sensitive personal details—such as email addresses, first and last names, user IDs, and account status—of any other user, including students. This constitutes a confidentiality breach, exposing personally identifying information and thereby violating privacy requirements.

Affected Systems

All Chamilo LMS installations running a version earlier than 1.11.38 are affected. Users of these earlier versions, regardless of their role within the system, can exploit the vulnerability to access the personal data of other users.

Risk and Exploitability

The vulnerability is rated at a moderate severity score of 6.5. Since the exploit requires only authentication to the LMS, the likelihood of exploitation is high in environments where many users have legitimate access. The actionable exploit vector appears to be any authenticated web request to the exposed API endpoint. The vulnerability is not cataloged as a known exploited vulnerability by the relevant national security agency, and public data on exploit probability is unavailable.

Generated by OpenCVE AI on April 10, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Chamilo LMS to version 1.11.38 or later.

Generated by OpenCVE AI on April 10, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.
Title Chamilo LMS has REST API PII Exposure via get_user_info_from_username
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T15:04:02.449Z

Reserved: 2026-03-23T17:06:05.747Z

Link: CVE-2026-33708

cve-icon Vulnrichment

Updated: 2026-04-15T15:03:58.357Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T19:16:24.107

Modified: 2026-04-16T18:25:15.883

Link: CVE-2026-33708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:59:41Z

Weaknesses