Description
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters. No authentication is required to exploit either SSRF vector, significantly increasing the attack surface. This issue has been fixed in version 2.0.0-RC.3.
Published: 2026-04-14
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery enabling internal network probing and metadata theft
Action: Apply Patch
AI Analysis

Impact

An unauthenticated SSRF flaw exists in the PENS plugin of Chamilo LMS. The public endpoint at public/plugin/Pens/pens.php accepts a user‑controlled package‑url parameter that the server fetches with curl without filtering private or internal IP addresses. An attacker can supply arbitrary URLs to force the server to fetch internal resources, including cloud metadata endpoints such as 169.254.169.254, thereby exposing IAM credentials and other sensitive data. The vulnerability also permits state‑changing operations on internal services via the receipt and alerts callback parameters. No authentication is required to trigger either SQLS vector, greatly expanding the attack surface.

Affected Systems

Chamilo Learning Management System for all versions before 2.0.0‑RC.3, specifically the PENS plugin exposed through public/plugin/Pens/pens.php. The affected vendor is Chamilo and the product is Chamilo LMS.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, and the lack of an EPSS value implies that the exploitation probability is not quantified but the vulnerability is potentially active due to its public access. The flaw is not listed in the CISA KEV catalog. Because the endpoint is reachable without authentication, an attacker from the public internet can directly craft a request to the package‑url parameter and direct the server to internal network addresses, enabling reconnaissance or credential theft. Remote SSRF translates into a broad attack vector that can be used to compromise internal hosts, leak secrets, and perform unwanted operations on internal services.

Generated by OpenCVE AI on April 14, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 2.0.0‑RC.3 or later, which contains the SSRF fix
  • Disable the PENS plugin if it is not required for your deployment
  • Apply network segmentation and firewall rules to block outbound requests from the web server to internal IP ranges

Generated by OpenCVE AI on April 14, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Tue, 14 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters. No authentication is required to exploit either SSRF vector, significantly increasing the attack surface. This issue has been fixed in version 2.0.0-RC.3.
Title Chamilo LMS: Unauthenticated SSRF via PENS Plugin allows attacker to probe internal network and reach cloud metadata services
Weaknesses CWE-306
CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T14:26:33.592Z

Reserved: 2026-03-25T20:12:04.197Z

Link: CVE-2026-34160

cve-icon Vulnrichment

Updated: 2026-04-15T14:26:17.479Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T21:16:26.227

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-34160

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses