Cyber Resilience

CVE-2026-31940

High

Published: 10 April 2026

Published
10 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0024 14.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31940 is a high-severity Session Fixation (CWE-384) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-31940 is a session fixation vulnerability affecting Chamilo LMS, an open-source learning management system. In versions prior to 1.11.38 and 2.0.0-RC.3, the component main/lp/aicc_hacp.php directly uses user-controlled request parameters to set the PHP session ID before loading the global bootstrap file. This flaw, classified under CWE-384 (Session Fixation), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-10.

The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) over the network (AV:N), though it requires high attack complexity (AC:H) and user interaction (UI:R), with unchanged scope (S:U). By controlling the session ID via manipulated request parameters, an attacker can force a victim's browser to use a predetermined session identifier. If the victim subsequently authenticates, the attacker may hijack the session, achieving high impacts on confidentiality, integrity, and availability.

Mitigation is provided in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3, which address the issue by preventing direct use of user-controlled parameters for session ID setting. Patch details are available in GitHub commits ce0192c62e48c9d9474d915c541b3274844afbf9 and e337b7cc74a0276a0b4f91f9282204d20cac1869, with additional guidance in the security advisory at GHSA-4gp7-cfjh-77gv.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in…

more

1.11.38 and 2.0.0-RC.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Session fixation in public-facing web app directly enables setting a known session identifier that is later used post-authentication, mapping to browser session hijacking via manipulated cookies and use of web session cookies as alternate authentication material.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-52482Same product: Chamilo Chamilo Lms
CVE-2025-55289Same product: Chamilo Chamilo Lms
CVE-2025-59543Same product: Chamilo Chamilo Lms
CVE-2025-59542Same product: Chamilo Chamilo Lms
CVE-2026-33702Same product: Chamilo Chamilo Lms
CVE-2026-30875Same product: Chamilo Chamilo Lms
CVE-2026-35196Same product: Chamilo Chamilo Lms
CVE-2025-52998Same product: Chamilo Chamilo Lms
CVE-2025-50192Same product: Chamilo Chamilo Lms
CVE-2025-50197Same product: Chamilo Chamilo Lms

Affected Assets

chamilo
chamilo lms
2.0.0 · ≤ 1.11.38

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms to protect the authenticity of communications sessions, directly preventing session fixation by ensuring session identifiers cannot be manipulated via user-controlled parameters.

prevent

SI-10 mandates validation of information inputs, preventing the direct use of untrusted request parameters to set PHP session IDs in aicc_hacp.php.

prevent

CM-6 enforces secure configuration settings for session management, such as PHP's strict session mode, to reject or ignore attacker-supplied session identifiers.

References