CVE-2026-33702
Published: 10 April 2026
Summary
CVE-2026-33702 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces approved authorizations to prevent authenticated users from modifying another user's Learning Path progress via the uid parameter.
Implements least privilege to restrict users to accessing and modifying only their own Learning Path progress data.
Validates the uid input parameter against the authenticated user's identity to block unauthorized object references.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in web-based LMS endpoint enables unauthorized stored data modification (T1565.001) and is exploitable via network-accessible web app (T1190).
NVD Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from…
more
$_REQUEST and uses it to load and modify another user's Learning Path progress — including score, status, completion, and time — without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Deeper analysisAI
CVE-2026-33702 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting Chamilo LMS, an open-source learning management system. The issue resides in the lp_ajax_save_item.php endpoint used for saving Learning Path progress. In versions prior to 1.11.38 and 2.0.0-RC.3, the endpoint accepts a uid (user ID) parameter directly from $_REQUEST without verifying that it matches the requesting user, allowing unauthorized modification of another user's Learning Path data, including score, status, completion, and time spent. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L), indicating high integrity impact with low privileges required.
Any authenticated user enrolled in a course can exploit this vulnerability over the network with low complexity and no user interaction. By simply modifying the uid parameter in a request to lp_ajax_save_item.php, an attacker can overwrite the Learning Path progress of any other user in the same course, potentially disrupting educational tracking, falsifying achievements, or enabling academic fraud.
The vulnerability is addressed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3 through fixes documented in GitHub commits 6331d051b4468deb5830c01d1e047c5e5cf2c74f and bf3f6c6949b5c882b48a9914baa19910417e4551, as detailed in the security advisory GHSA-3rv7-9fhx-j654. Security practitioners should upgrade to these patched versions to mitigate the risk.
Details
- CWE(s)