CVE-2026-32930
Published: 10 April 2026
Summary
CVE-2026-32930 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent authenticated teachers from viewing or modifying evaluation settings of other courses via the manipulated editeval GET parameter.
Applies least privilege to restrict teachers to only access and modify evaluations in their own assigned courses, reducing the impact of IDOR exploitation.
Validates the editeval parameter input to ensure it corresponds to an evaluation that the authenticated teacher is authorized to access or edit.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in gradebook edit functionality directly enables unauthorized modification of stored evaluation/grading data (name, score, weight) belonging to other courses, mapping to Stored Data Manipulation.
NVD Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of…
more
evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Deeper analysisAI
CVE-2026-32930 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting Chamilo LMS, an open-source learning management system. The issue resides in the gradebook evaluation edit page and impacts versions prior to 1.11.38 and 2.0.0-RC.3. It enables unauthorized access to evaluation settings through manipulation of the editeval GET parameter. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), indicating high integrity impact with low confidentiality impact and no availability impact.
Any authenticated teacher user can exploit this vulnerability over the network with low complexity and no user interaction required. By altering the editeval parameter, an attacker can view and modify critical evaluation settings—such as name, maximum score, and weight—for evaluations in courses they do not own or manage, potentially disrupting grading integrity across the platform.
The vulnerability is addressed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3 via fixes detailed in GitHub commits 63e1e6d3d717bd537c7c61719416da35aaa658dd and f03f681df939db0429edc8414fb3ce4e4b80d79d. Additional guidance is available in the security advisory at GHSA-9h22-wrg7-82q6, recommending immediate upgrades to patched versions for mitigation.
Details
- CWE(s)