CVE-2026-32894

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-32894
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

7.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151 Patch
https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519 Patch
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98 Exploit Vendor Advisory
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98 Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*
History

17 Apr 2026, 21:28

Type Values Removed Values Added
First Time Chamilo chamilo Lms
Chamilo
CPE cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
References () https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151 - () https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151 - Patch
References () https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519 - () https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519 - Patch
References () https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98 - () https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98 - Exploit, Vendor Advisory

13 Apr 2026, 16:16

Type Values Removed Values Added
References () https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98 - () https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98 -

10 Apr 2026, 18:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-04-10 18:16

Updated : 2026-04-17 21:28

NVD link : CVE-2026-32894

Mitre link : CVE-2026-32894

CVE.ORG link : CVE-2026-32894

JSON object : View

Products Affected

chamilo

  • chamilo_lms
CWE
CWE-476

NULL Pointer Dereference

CWE-639

Authorization Bypass Through User-Controlled Key