CVE-2026-34160

CVE-2026-34160 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the PENS (Package Exchange Notification Services) plugin of Chamilo LMS, an open-source learning management system. The affected endpoint, located at public/plugin/Pens/pens.php, is accessible without authentication and processes a user-controlled package-url parameter by fetching it server-side using curl. This fetch operation lacks filtering for private or internal IP addresses, allowing arbitrary network requests from the server context. The vulnerability impacts Chamilo LMS versions prior to 2.0.0-RC.3 and is rated 8.6 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), with associated CWEs-306 (Missing Authentication for Critical Function) and CWE-918 (SSRF).

Any unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the exposed endpoint, initiating SSRF to probe internal network services or access restricted resources. Potential impacts include scanning for internal hosts, retrieving sensitive cloud instance metadata from endpoints like 169.254.169.254 to exfiltrate IAM credentials, or invoking state-changing operations on internal services through the receipt and alerts callback parameters. The lack of authentication (PR:N) combined with network accessibility (AV:N) and scope change (S:C) enables high confidentiality impacts without requiring user interaction.

The issue has been addressed in Chamilo LMS version 2.0.0-RC.3, as detailed in the project's GitHub security advisory (GHSA-g2xj-4cch-j276), release notes, and the fixing commit (de4058d76fac2413afd023b1ec942e8e79579011). Security practitioners should upgrade to the patched version and review configurations to ensure the PENS plugin endpoint is not exposed unnecessarily.