Description
Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3.
Published: 2026-04-14
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Server‑Side Request Forgery and Open Email Relay
Action: Immediate Patch
AI Analysis

Impact

A public AJAX endpoint, public/main/inc/ajax/install.ajax.php, was deployed without the global.inc.php include that enforces authentication checks. The test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data, causing the Chamilo server to attempt an outbound SMTP connection to the provided target. This allows an attacker to send emails that appear to originate from the Chamilo host (an open email relay) and to perform SSRF against internal SMTP services, potentially leaking network topology through error responses. The vulnerability directly leads to unauthorized remote SMTP communication and potential internal network reconnaissance.

Affected Systems

Chamilo LMS, open‑source learning management system, is affected in version 2.0‑RC.2 and prior builds that contain the vulnerable install.ajax.php file. The fix was introduced in version 2.0.0‑RC.3, which removes the unauthenticated access to the test_mailer action.

Risk and Exploitability

The CVSS score of 7.2 indicates a high impact with a well‑exploitable vector. EPSS data is unavailable, so the likelihood of exploitation is unknown; however, the vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the flaw by issuing an unauthenticated HTTP POST request to the public endpoint and supplying a crafted SMTP DSN. Once invoked, the Chamilo server can relay email and reach internal services, which could facilitate further lateral movement or phishing campaigns.

Generated by OpenCVE AI on April 14, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 2.0.0‑RC.3 or later, which removes the unauthenticated test_mailer endpoint.
  • If upgrading is not immediately feasible, restrict access to public/main/inc/ajax/install.ajax.php by configuring server-side access controls (e.g., .htaccess) to require authentication or block the URL for unauthenticated users.
  • As an additional containment measure, block outbound SMTP traffic from the Chamilo server to prevent it from functioning as an open email relay.

Generated by OpenCVE AI on April 14, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Tue, 14 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3.
Title Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_mailer action
Weaknesses CWE-306
CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T13:37:16.615Z

Reserved: 2026-03-23T17:06:05.748Z

Link: CVE-2026-33715

cve-icon Vulnrichment

Updated: 2026-04-15T13:37:11.270Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T21:16:26.060

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-33715

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses