Description
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks. The backend trusts the user-supplied input for the user field and performs no server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This enables unauthorized manipulation of user-course relationships, potentially granting unintended access to course materials, bypassing enrollment controls, and compromising platform integrity. This issue has been fixed in version 2.0.0-RC.3.
Published: 2026-04-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized enrollment of arbitrary users into courses, compromising platform integrity
Action: Immediate Patch
AI Analysis

Impact

Chamilo LMS versions prior to 2.0.0‑RC.3 contain an Insecure Direct Object Reference flaw in the /api/course_rel_users endpoint. The vulnerability allows an authenticated attacker to change the user parameter in the request payload, enrolling any user into any course without verification that the requester is authorized to act on behalf of that user. This defect removes the protective boundaries of enrollment controls, enabling the attacker to view and interact with course materials that were not intended for them, potentially exposing sensitive educational content and undermining the integrity of the platform.

Affected Systems

The affected product is Chamilo LMS. All installations running a version older than 2.0.0‑RC.3 are vulnerable. Versions 2.0.0‑RC.3 and newer include the fix confirmed in the linked commits and release notes.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score is not available, so the current exploitation probability cannot be quantified. The CVE description states that the attacker must be authenticated to use the endpoint, but it does not explicitly require privileged roles; it is inferred that a normal authenticated user can exploit the flaw. The attack vector is likely a network request to the API; this is also inferred because the description references the /api/course_rel_users endpoint. The absence of server‑side checks for ownership or permission markedly increases the potential impact, and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 14, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 2.0.0‑RC.3 or later, which removes the IDOR flaw in the /api/course_rel_users endpoint.
  • Restrict access to the /api/course_rel_users endpoint so that only users with instructor or administrative privileges can invoke it, ensuring proper role‑based access control is enforced.
  • If an immediate upgrade is not possible, limit direct network access to the endpoint through firewall rules or IP restrictions so that only trusted administrators can reach it.

Generated by OpenCVE AI on April 14, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Tue, 14 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks. The backend trusts the user-supplied input for the user field and performs no server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This enables unauthorized manipulation of user-course relationships, potentially granting unintended access to course materials, bypassing enrollment controls, and compromising platform integrity. This issue has been fixed in version 2.0.0-RC.3.
Title Chamilo LMS: IDOR in /api/course_rel_users Allows Unauthorized Enrollment of Arbitrary Users into Courses
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T13:32:34.878Z

Reserved: 2026-03-30T17:15:52.500Z

Link: CVE-2026-34602

cve-icon Vulnrichment

Updated: 2026-04-15T13:32:29.929Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T22:16:31.500

Modified: 2026-04-22T18:46:22.343

Link: CVE-2026-34602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses