Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
References
Configurations
Configuration 1 (hide)
|
History
16 Apr 2026, 18:24
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:* cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:* |
|
| References | () https://github.com/chamilo/chamilo-lms/commit/4448701bb8ec557e94ef02d19c72cbe9c49c2d09 - Patch | |
| References | () https://github.com/chamilo/chamilo-lms/commit/e7400dd840586ae134b286d0a2374f3d269a9a9d - Patch | |
| References | () https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpmg-j327-mr39 - Vendor Advisory | |
| First Time |
Chamilo chamilo Lms
Chamilo |
10 Apr 2026, 19:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-10 19:16
Updated : 2026-04-16 18:24
NVD link : CVE-2026-33710
Mitre link : CVE-2026-33710
CVE.ORG link : CVE-2026-33710
JSON object : View
Products Affected
chamilo
- chamilo_lms
CWE
CWE-330
Use of Insufficiently Random Values