Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Published: 2026-04-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Predictable API key generation leading to unauthorized API access
Action: Upgrade Now
AI Analysis

Impact

Chamilo Learning Management System generates REST API keys with a deterministic formula that combines the current timestamp with the user identifier and a constant random value. Because the random call always returns the same number and md5 hashing is applied, the resulting key can be predicted if an attacker knows the user and approximate creation time. This flaw allows an adversary to brute‑force a valid key and gain unauthorized API access, compromising data confidentiality and integrity. The weakness is a predictable random function misuse (CWE‑330).

Affected Systems

All Chamilo LMS releases older than 1.11.38 and 2.0.0‑RC.3 are affected. The vulnerability exists in the core code that performs key generation and is present in all deployments of the system that rely on the legacy API key routine.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating a high severity classification. EPSS data is not available, and the flaw is not listed in the CISA Known Exploit Vulnerabilities catalog. An attacker could exploit the weakness remotely by accessing the API endpoint, submitting a known username and a time window estimate, then iteratively generating candidate keys until the correct one is found. The attack requires knowledge of the username and approximate key creation time, but no additional privileges are needed beyond API access rights. The predictability of key generation directly lowers the effort needed for a brute‑force attempt, elevating the risk of compromise.

Generated by OpenCVE AI on April 10, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 1.11.38 or later in the 2.x line, which replaces the weak key generation routine with a secure random generator.
  • Restrict REST API access to trusted users and enforce strict authentication policies to limit the window in which a stolen key could be used.
  • Monitor API usage logs for repeated failed key attempts or anomalous activity that may indicate brute‑force efforts.
  • Verify that the API key generation process has changed after the upgrade by testing key creation and confirming that the resulting values cannot be predicted from the timestamp alone.

Generated by OpenCVE AI on April 10, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Title Chamilo LMS has Weak REST API Key Generation (Predictable)
Weaknesses CWE-330
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:36:06.835Z

Reserved: 2026-03-23T17:06:05.747Z

Link: CVE-2026-33710

cve-icon Vulnrichment

Updated: 2026-04-13T15:33:23.825Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T19:16:24.257

Modified: 2026-04-16T18:24:17.680

Link: CVE-2026-33710

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:59:39Z

Weaknesses