CVE-2026-31940
Published: 10 April 2026
Summary
CVE-2026-31940 is a high-severity Session Fixation (CWE-384) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires mechanisms to protect the authenticity of communications sessions, directly preventing session fixation by ensuring session identifiers cannot be manipulated via user-controlled parameters.
SI-10 mandates validation of information inputs, preventing the direct use of untrusted request parameters to set PHP session IDs in aicc_hacp.php.
CM-6 enforces secure configuration settings for session management, such as PHP's strict session mode, to reject or ignore attacker-supplied session identifiers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Session fixation in public-facing web app directly enables setting a known session identifier that is later used post-authentication, mapping to browser session hijacking via manipulated cookies and use of web session cookies as alternate authentication material.
NVD Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in…
more
1.11.38 and 2.0.0-RC.3.
Deeper analysisAI
CVE-2026-31940 is a session fixation vulnerability affecting Chamilo LMS, an open-source learning management system. In versions prior to 1.11.38 and 2.0.0-RC.3, the component main/lp/aicc_hacp.php directly uses user-controlled request parameters to set the PHP session ID before loading the global bootstrap file. This flaw, classified under CWE-384 (Session Fixation), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-10.
The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) over the network (AV:N), though it requires high attack complexity (AC:H) and user interaction (UI:R), with unchanged scope (S:U). By controlling the session ID via manipulated request parameters, an attacker can force a victim's browser to use a predetermined session identifier. If the victim subsequently authenticates, the attacker may hijack the session, achieving high impacts on confidentiality, integrity, and availability.
Mitigation is provided in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3, which address the issue by preventing direct use of user-controlled parameters for session ID setting. Patch details are available in GitHub commits ce0192c62e48c9d9474d915c541b3274844afbf9 and e337b7cc74a0276a0b4f91f9282204d20cac1869, with additional guidance in the security advisory at GHSA-4gp7-cfjh-77gv.
Details
- CWE(s)