CVE-2026-33715
Published: 14 April 2026
Summary
CVE-2026-33715 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of authentication checks on the install.ajax.php endpoint, preventing unauthenticated access to the test_mailer action.
Validates the arbitrary Symfony Mailer DSN input from POST data to block SSRF connections to attacker-specified SMTP servers.
Suppresses detailed error responses from failed SMTP connections to prevent disclosure of internal network topology and services.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Chamilo LMS enables unauthenticated remote exploitation (T1190) and SSRF-based probing of internal networks/services (T1046).
NVD Description
Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks.…
more
Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3.
Deeper analysisAI
CVE-2026-33715 affects Chamilo LMS, an open-source learning management system, specifically in version 2.0-RC.2. The vulnerability stems from the file public/main/inc/ajax/install.ajax.php being accessible without authentication on fully installed instances, as it lacks inclusion of the global.inc.php file that enforces authentication and installation checks. The test_mailer action within this endpoint accepts an arbitrary Symfony Mailer DSN string from POST data, enabling Server-Side Request Forgery (SSRF) over the SMTP protocol (CWE-918, CWE-306). The issue has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated remote attackers can exploit this vulnerability by sending POST requests to the endpoint with a malicious SMTP DSN. This allows them to force the Chamilo server to connect to an attacker-specified SMTP server, facilitating SSRF to probe internal networks. Attackers can also abuse the endpoint to turn the server into an open email relay for phishing or spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may leak information about internal network topology and services.
The vulnerability has been addressed in Chamilo LMS version 2.0.0-RC.3, as detailed in the project's GitHub release notes and security advisory (GHSA-mxc9-9335-45mc). Security practitioners should upgrade to the patched version and verify that the install.ajax.php endpoint is no longer accessible without proper authentication checks.
Details
- CWE(s)