Description
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated student to read the private course notes of any other user on the platform by manipulating the notebook_id parameter in the editnote action. The application fetches the note content using only the supplied integer ID without verifying that the requesting user owns the note, and the full title and HTML body are rendered in the edit form and returned to the attacker's browser. While ownership checks exist in the write paths (updateNote() and delete_note()), they are entirely absent from the read path (get_note_information()). This issue has been fixed in version 2.0.0-RC.3.
Published: 2026-04-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Disclosure
Action: Patch
AI Analysis

Impact

Chamilo LMS contains an insecure direct object reference that allows any authenticated student to read the private course notes of other users by manipulating the notebook_id parameter in the editnote action. The system retrieves note information using only the provided integer ID without checking that the requesting user owns the note, returning the full title and HTML body in the edit form. This grants the attacker full access to the note contents, exposing potentially sensitive academic data.

Affected Systems

The vulnerability applies to Chamilo LMS releases preceding 2.0.0‑RC.3. The fix, which adds the necessary ownership checks to the read path, is available in that release. The product is distributed under the chamilo‑lms code base by chamilo.

Risk and Exploitability

With a CVSS score of 6.5 the flaw is considered moderate, but it permits the leakage of confidential course notes. Exploitation requires only that the attacker be a logged‑in user, and no privileged escalation is needed. EPSS data is unavailable and the issue is not listed in the CISA KEV catalog, indicating no public exploits are known. Nevertheless, the ability to read arbitrary private notes constitutes a significant privacy risk that should be addressed promptly.

Generated by OpenCVE AI on April 14, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chamilo LMS to version 2.0.0‑RC.3 or later to enforce ownership checks on note retrieval.
  • If an immediate upgrade is not possible, restrict or disable the notebook module for non‑admin roles, limiting editnote functionality to authorized users only.
  • Review and strengthen access‑control checks in other modules to prevent similar IDOR vulnerabilities.
  • Monitor audit logs for unexpected note‑access activity and alert on unauthorized views.

Generated by OpenCVE AI on April 14, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Tue, 14 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated student to read the private course notes of any other user on the platform by manipulating the notebook_id parameter in the editnote action. The application fetches the note content using only the supplied integer ID without verifying that the requesting user owns the note, and the full title and HTML body are rendered in the edit form and returned to the attacker's browser. While ownership checks exist in the write paths (updateNote() and delete_note()), they are entirely absent from the read path (get_note_information()). This issue has been fixed in version 2.0.0-RC.3.
Title Chamilo LMS: IDOR in the Notebook Module allows an attacker to view other users' private notes
Weaknesses CWE-285
CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T20:03:07.959Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34370

cve-icon Vulnrichment

Updated: 2026-04-15T18:57:26.117Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T22:16:31.340

Modified: 2026-04-22T18:46:34.627

Link: CVE-2026-34370

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses