CVE-2026-33706
Published: 10 April 2026
Summary
CVE-2026-33706 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces least privilege principle, preventing low-privileged users like students from escalating their status to Teacher or CourseManager via the API endpoint.
Requires enforcement of approved authorizations, directly blocking unauthorized self-modification of the status field in the update_user_from_username endpoint.
Mandates proper management of user accounts and privileges, reducing risks of improper API-based privilege changes through reviews and approvals.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an improper privilege management flaw in a web application's REST API that allows low-privileged authenticated users to modify their own status/roles, directly enabling exploitation of the software vulnerability to achieve unauthorized privilege escalation.
NVD Description
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course…
more
creation and management privileges. This vulnerability is fixed in 1.11.38.
Deeper analysisAI
CVE-2026-33706 is an improper privilege management vulnerability (CWE-269) in Chamilo LMS, an open-source learning management system. In versions prior to 1.11.38, the update_user_from_username endpoint in the REST API allows any authenticated user with an API key to modify their own status field, enabling unauthorized privilege escalation.
The vulnerability can be exploited over the network by low-privileged authenticated users, such as students (status=5), with low complexity and no user interaction required. Successful exploitation allows the attacker to elevate their status to Teacher or CourseManager (status=1), granting privileges for course creation and management. The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), reflecting high integrity impact.
The vulnerability is addressed in Chamilo LMS 1.11.38. Mitigation details are available in the GitHub security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3gqc-xr75-pcpw and the fixing commit at https://github.com/chamilo/chamilo-lms/commit/0acf8a196307c66c049f97f5ff76cf21c4a08127.
Details
- CWE(s)