CVE-2026-34602
Published: 14 April 2026
Summary
CVE-2026-34602 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to resources, directly preventing IDOR by requiring server-side verification of permissions before modifying user-course relationships.
Mandates determining and authorizing access to specific system resources like user-course enrollments prior to operation execution, mitigating the lack of server-side checks in the vulnerable endpoint.
Applies least privilege to restrict low-privileged authenticated users from performing unauthorized actions on arbitrary user IDs, limiting IDOR exploitation scope.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The IDOR vulnerability allows an authenticated low-privileged attacker to bypass authorization checks and perform unauthorized modifications to user-course enrollments, directly enabling exploitation for privilege escalation by granting access and actions beyond intended permissions.
NVD Description
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any…
more
arbitrary user into any course without proper authorization checks. The backend trusts the user-supplied input for the user field and performs no server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This enables unauthorized manipulation of user-course relationships, potentially granting unintended access to course materials, bypassing enrollment controls, and compromising platform integrity. This issue has been fixed in version 2.0.0-RC.3.
Deeper analysisAI
Chamilo LMS, an open-source learning management system, contains an Insecure Direct Object Reference (IDOR) vulnerability (CWE-639) in versions prior to 2.0.0-RC.3, tracked as CVE-2026-34602. The issue affects the /api/course_rel_users endpoint, where the backend trusts user-supplied input in the user field of the request body without performing server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This flaw has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).
An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By modifying the user parameter in the request body, the attacker can enroll any arbitrary user into any course, enabling unauthorized manipulation of user-course relationships. Successful exploitation grants unintended access to course materials, bypasses enrollment controls, and compromises platform integrity.
The vulnerability is fixed in Chamilo LMS version 2.0.0-RC.3. Mitigation involves updating to this release or later, as detailed in the GitHub security advisory (GHSA-x373-8j9j-g5pj) and the associated commit fixes and release notes.
Details
- CWE(s)