Cyber Resilience

CVE-2026-32930

High

Published: 10 April 2026

Published
10 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0003 10.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32930 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-32930 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting Chamilo LMS, an open-source learning management system. The issue resides in the gradebook evaluation edit page and impacts versions prior to 1.11.38 and 2.0.0-RC.3. It enables unauthorized access to evaluation settings through manipulation of the editeval GET parameter. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), indicating high integrity impact with low confidentiality impact and no availability impact.

Any authenticated teacher user can exploit this vulnerability over the network with low complexity and no user interaction required. By altering the editeval parameter, an attacker can view and modify critical evaluation settings—such as name, maximum score, and weight—for evaluations in courses they do not own or manage, potentially disrupting grading integrity across the platform.

The vulnerability is addressed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3 via fixes detailed in GitHub commits 63e1e6d3d717bd537c7c61719416da35aaa658dd and f03f681df939db0429edc8414fb3ce4e4b80d79d. Additional guidance is available in the security advisory at GHSA-9h22-wrg7-82q6, recommending immediate upgrades to patched versions for mitigation.

EU & UK References

Vulnerability details

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of…

more

evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

IDOR in gradebook edit functionality directly enables unauthorized modification of stored evaluation/grading data (name, score, weight) belonging to other courses, mapping to Stored Data Manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32894Same product: Chamilo Chamilo Lms
CVE-2026-33702Same product: Chamilo Chamilo Lms
CVE-2026-34602Same product: Chamilo Chamilo Lms
CVE-2026-30881Same product: Chamilo Chamilo Lms
CVE-2025-52469Same product: Chamilo Chamilo Lms
CVE-2026-32931Same product: Chamilo Chamilo Lms
CVE-2026-33714Same product: Chamilo Chamilo Lms
CVE-2025-50188Same product: Chamilo Chamilo Lms
CVE-2025-50193Same product: Chamilo Chamilo Lms
CVE-2025-50198Same product: Chamilo Chamilo Lms

Affected Assets

chamilo
chamilo lms
2.0.0 · ≤ 1.11.38

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent authenticated teachers from viewing or modifying evaluation settings of other courses via the manipulated editeval GET parameter.

prevent

Applies least privilege to restrict teachers to only access and modify evaluations in their own assigned courses, reducing the impact of IDOR exploitation.

prevent

Validates the editeval parameter input to ensure it corresponds to an evaluation that the authenticated teacher is authorized to access or edit.

References