Cyber Resilience

CVE-2025-52469

HighPublic PoC

Published: 02 March 2026

Published
02 March 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0004 13.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52469 is a high-severity Improper Enforcement of Behavioral Workflow (CWE-841) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2025-52469 is a logic vulnerability in the friend request workflow of Chamilo's social network module, affecting the open-source learning management system Chamilo prior to version 1.11.30. An authenticated user can directly call an AJAX endpoint to forcibly add any other user as a friend, bypassing the standard process of sending and awaiting acceptance of friend requests. This flaw even permits adding non-existent users, undermining access control and social interaction logic with potential privacy implications. The vulnerability is rated 7.1 on the CVSS v3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N) and maps to CWE-841 (Improper Enforcement of Behavioral Workflow).

Any low-privileged authenticated user on a Chamilo instance can exploit this over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to manipulate the social graph by unilaterally establishing friendships, potentially granting unauthorized access to private profiles, messages, or shared resources tied to the friend relationship. While direct confidentiality impact is low, the high integrity impact disrupts intended social controls, enabling abuse such as spam, harassment, or further reconnaissance in educational environments.

The issue has been addressed in Chamilo version 1.11.30, as detailed in the project's GitHub security advisory (GHSA-m5xj-5xf3-rqch), release notes, and the patching commit. Security practitioners should upgrade to 1.11.30 or later and review access to the social network module's AJAX endpoints.

EU & UK References

Vulnerability details

Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the friend request workflow of Chamilo’s social network module allows an authenticated user to forcibly add any user as a friend by directly calling the AJAX…

more

endpoint. The attacker can bypass the normal flow of sending and accepting friend requests, and even add non-existent users. This breaks access control and social interaction logic, with potential privacy implications. This issue has been patched in version 1.11.30.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Logic flaw in public-facing web app (Chamilo LMS) allows authenticated workflow bypass for unauthorized actions.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-47886Same product: Chamilo Chamilo Lms
CVE-2025-50188Same product: Chamilo Chamilo Lms
CVE-2025-52998Same product: Chamilo Chamilo Lms
CVE-2025-50187Same product: Chamilo Chamilo Lms
CVE-2025-50192Same product: Chamilo Chamilo Lms
CVE-2026-33618Same product: Chamilo Chamilo Lms
CVE-2026-33710Same product: Chamilo Chamilo Lms
CVE-2025-50190Same product: Chamilo Chamilo Lms
CVE-2026-29041Same product: Chamilo Chamilo Lms
CVE-2025-52468Same product: Chamilo Chamilo Lms

Affected Assets

chamilo
chamilo lms
≤ 1.11.30

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the intended friend-request authorization workflow on the AJAX endpoint so that only properly accepted requests can create friendships.

prevent

Requires validation of all inputs to the friend-request endpoint to ensure the behavioral workflow (send-then-accept) is followed rather than allowing direct addition.

prevent

Ensures access-control decisions for social-graph changes are made only after the complete, approved workflow rather than on a single unaudited AJAX call.

References