CVE-2025-52469
Published: 02 March 2026
Summary
CVE-2025-52469 is a high-severity Improper Enforcement of Behavioral Workflow (CWE-841) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
CVE-2025-52469 is a logic vulnerability in the friend request workflow of Chamilo's social network module, affecting the open-source learning management system Chamilo prior to version 1.11.30. An authenticated user can directly call an AJAX endpoint to forcibly add any other user as a friend, bypassing the standard process of sending and awaiting acceptance of friend requests. This flaw even permits adding non-existent users, undermining access control and social interaction logic with potential privacy implications. The vulnerability is rated 7.1 on the CVSS v3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N) and maps to CWE-841 (Improper Enforcement of Behavioral Workflow).
Any low-privileged authenticated user on a Chamilo instance can exploit this over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to manipulate the social graph by unilaterally establishing friendships, potentially granting unauthorized access to private profiles, messages, or shared resources tied to the friend relationship. While direct confidentiality impact is low, the high integrity impact disrupts intended social controls, enabling abuse such as spam, harassment, or further reconnaissance in educational environments.
The issue has been addressed in Chamilo version 1.11.30, as detailed in the project's GitHub security advisory (GHSA-m5xj-5xf3-rqch), release notes, and the patching commit. Security practitioners should upgrade to 1.11.30 or later and review access to the social network module's AJAX endpoints.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208174
Vulnerability details
Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the friend request workflow of Chamilo’s social network module allows an authenticated user to forcibly add any user as a friend by directly calling the AJAX…
more
endpoint. The attacker can bypass the normal flow of sending and accepting friend requests, and even add non-existent users. This breaks access control and social interaction logic, with potential privacy implications. This issue has been patched in version 1.11.30.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Logic flaw in public-facing web app (Chamilo LMS) allows authenticated workflow bypass for unauthorized actions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the intended friend-request authorization workflow on the AJAX endpoint so that only properly accepted requests can create friendships.
Requires validation of all inputs to the friend-request endpoint to ensure the behavioral workflow (send-then-accept) is followed rather than allowing direct addition.
Ensures access-control decisions for social-graph changes are made only after the complete, approved workflow rather than on a single unaudited AJAX call.