Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress, certificates, and gradebook scores for any course, without enrollment or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3.
References
Configurations
Configuration 1 (hide)
|
History
17 Apr 2026, 21:24
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Chamilo chamilo Lms
Chamilo |
|
| CPE | cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:* |
|
| References | () https://github.com/chamilo/chamilo-lms/commit/792ba05953470ca971617fe2674ed14c1479fa80 - Patch | |
| References | () https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-j2pr-2r5w-jrpj - Vendor Advisory |
10 Apr 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-10 18:16
Updated : 2026-04-17 21:24
NVD link : CVE-2026-33141
Mitre link : CVE-2026-33141
CVE.ORG link : CVE-2026-33141
JSON object : View
Products Affected
chamilo
- chamilo_lms