The Chamilo Learning Management System suffers from an Insecure Direct Object Reference that lets any authenticated user— even those with student role— query the /api/users endpoint and retrieve a list of all platform users along with their email addresses, phone numbers, and role assignments. Because administrator accounts are also included, the flaw results in a broad exposure of sensitive personal information. This is a classic IDOR weakness that compromises confidentiality but does not provide direct code execution or denial‑of‑service capabilities.

The issue affects the chamilo:chamilo-lms product for all versions released before 2.0.0‑RC.3. Upgrading to 2.0.0‑RC.3 or a later release eliminates the vulnerability.

The CVSS score of 6.5 indicates moderate severity, reflecting the requirement for authentication and the confidentiality impact. No exploit has yet appeared in the wild and the vulnerability is not listed in the CISA KEV backlog, but the attackvector is wide—any authenticated user can issue a GET request over network to the API endpoint. If an attacker compromises a user account or obtains valid credentials, they can enumerate the entire user base and leak personal data. Because the fault is controlled by the application logic, exploitation does not need special hardware or environment constraints, making it likely to be leveraged once a legitimate login occurs.