Cyber Resilience

CVE-2026-31941

High

Published: 10 April 2026

Published
10 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0023 13.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31941 is a high-severity SSRF (CWE-918) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-31941 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting Chamilo LMS, an open-source learning management system. The issue resides in the Social Wall feature, specifically the read_url_with_open_graph endpoint, which accepts a user-supplied URL via the social_wall_new_msg_main POST parameter and issues two server-side HTTP requests to that URL without validating whether it points to an internal or external resource. Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable, earning a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

An authenticated attacker with low privileges can exploit this vulnerability remotely with low complexity and no user interaction required. By supplying a malicious URL, they can compel the server to originate arbitrary HTTP requests, enabling port scanning of internal networks, access to internal services, and retrieval of sensitive data such as cloud instance metadata endpoints (e.g., on AWS, Azure, or GCP).

The vulnerability is addressed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3 through fixes documented in GitHub commits e3790c5f0ff3b4dc547c2099fadf5c438c1bb265 and ea6b7b7e90580c9b01dc4bcafe4ad737061e0ead, with further details in the security advisory at GHSA-q74c-mx8x-489h. Security practitioners should upgrade to these patched versions and review access controls on the Social Wall feature to mitigate exposure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter…

more

and performs two server-side HTTP requests to that URL without validating whether the target is an internal or external resource. This allows an authenticated attacker to force the server to make arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF allows authenticated attacker to force server-side HTTP requests to arbitrary/internal URLs, directly enabling port scanning for service discovery (T1046) and retrieval of cloud instance metadata (T1522).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-50199Same product: Chamilo Chamilo Lms
CVE-2026-34160Same product: Chamilo Chamilo Lms
CVE-2026-33715Same product: Chamilo Chamilo Lms
CVE-2025-50197Same product: Chamilo Chamilo Lms
CVE-2026-33698Same product: Chamilo Chamilo Lms
CVE-2026-32930Same product: Chamilo Chamilo Lms
CVE-2025-50193Same product: Chamilo Chamilo Lms
CVE-2026-33702Same product: Chamilo Chamilo Lms
CVE-2025-50194Same product: Chamilo Chamilo Lms
CVE-2025-50198Same product: Chamilo Chamilo Lms

Affected Assets

chamilo
chamilo lms
2.0.0 · ≤ 1.11.38

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of user-supplied URLs in the social_wall_new_msg_main POST parameter to block SSRF exploitation by rejecting internal or malicious targets.

prevent

AC-4 enforces information flow controls to restrict application-initiated requests to unauthorized internal resources or ports, mitigating SSRF impacts.

prevent

SC-7 implements boundary protections like firewalls or proxies to deny server outbound connections to internal services and cloud metadata endpoints targeted by SSRF.

References