CVE-2026-32894
Published: 10 April 2026
Summary
CVE-2026-32894 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-16 (Security and Privacy Attributes) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to gradebook results, directly preventing IDOR by requiring ownership or course-scope verification on delete operations.
Implements security attributes like user ownership or course affiliation to validate access to specific gradebook objects during delete actions manipulated via GET parameters.
Applies least privilege to limit teachers to accessing and modifying only gradebook results within their assigned courses, reducing the scope of potential IDOR exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in gradebook delete operation enables unauthorized insertion/deletion of stored application data (student results) without ownership checks, directly mapping to stored data manipulation for impact.
NVD Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by…
more
manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Deeper analysisAI
CVE-2026-32894 is an Insecure Direct Object Reference (IDOR) vulnerability, mapped to CWE-476 and CWE-639, in Chamilo LMS, an open-source learning management system. It affects versions prior to 1.11.38 and 2.0.0-RC.3, specifically in the gradebook result view page, where no ownership or course-scope verification is performed on delete operations.
The vulnerability can be exploited over the network by any authenticated teacher with low privileges and no user interaction required. By manipulating the delete_mark or resultdelete GET parameters, an attacker can delete any student's grade result across the entire platform, regardless of course affiliation. This results in high integrity impact and low availability impact, as reflected in the CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).
Mitigation is provided in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3. Relevant patches are detailed in GitHub commits 3b03306d1a0301a81b9284e86893b27f518ab151 and 740f5a6e192a52a3adde3c3241c86401b1d2c519, with additional guidance in the security advisory at GHSA-rqpg-p95v-fv98.
Details
- CWE(s)