Cyber Resilience

CVE-2026-33715

High

Published: 14 April 2026

Published
14 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0017 37.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33715 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33715 affects Chamilo LMS, an open-source learning management system, specifically in version 2.0-RC.2. The vulnerability stems from the file public/main/inc/ajax/install.ajax.php being accessible without authentication on fully installed instances, as it lacks inclusion of the global.inc.php file that enforces authentication and installation checks. The test_mailer action within this endpoint accepts an arbitrary Symfony Mailer DSN string from POST data, enabling Server-Side Request Forgery (SSRF) over the SMTP protocol (CWE-918, CWE-306). The issue has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated remote attackers can exploit this vulnerability by sending POST requests to the endpoint with a malicious SMTP DSN. This allows them to force the Chamilo server to connect to an attacker-specified SMTP server, facilitating SSRF to probe internal networks. Attackers can also abuse the endpoint to turn the server into an open email relay for phishing or spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may leak information about internal network topology and services.

The vulnerability has been addressed in Chamilo LMS version 2.0.0-RC.3, as detailed in the project's GitHub release notes and security advisory (GHSA-mxc9-9335-45mc). Security practitioners should upgrade to the patched version and verify that the install.ajax.php endpoint is no longer accessible without proper authentication checks.

EU & UK References

Vulnerability details

Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks.…

more

Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

Vulnerability in public-facing Chamilo LMS enables unauthenticated remote exploitation (T1190) and SSRF-based probing of internal networks/services (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34160Same product: Chamilo Chamilo Lms
CVE-2026-31941Same product: Chamilo Chamilo Lms
CVE-2025-50199Same product: Chamilo Chamilo Lms
CVE-2025-50192Same product: Chamilo Chamilo Lms
CVE-2025-50190Same product: Chamilo Chamilo Lms
CVE-2025-50187Same product: Chamilo Chamilo Lms
CVE-2025-52469Same product: Chamilo Chamilo Lms
CVE-2025-52998Same product: Chamilo Chamilo Lms
CVE-2025-50188Same product: Chamilo Chamilo Lms
CVE-2024-47886Same product: Chamilo Chamilo Lms

Affected Assets

chamilo
chamilo lms
2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the lack of authentication checks on the install.ajax.php endpoint, preventing unauthenticated access to the test_mailer action.

prevent

Validates the arbitrary Symfony Mailer DSN input from POST data to block SSRF connections to attacker-specified SMTP servers.

prevent

Suppresses detailed error responses from failed SMTP connections to prevent disclosure of internal network topology and services.

References