Cyber Resilience

CVE-2026-34602

High

Published: 14 April 2026

Published
14 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0003 10.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34602 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

Chamilo LMS, an open-source learning management system, contains an Insecure Direct Object Reference (IDOR) vulnerability (CWE-639) in versions prior to 2.0.0-RC.3, tracked as CVE-2026-34602. The issue affects the /api/course_rel_users endpoint, where the backend trusts user-supplied input in the user field of the request body without performing server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This flaw has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).

An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By modifying the user parameter in the request body, the attacker can enroll any arbitrary user into any course, enabling unauthorized manipulation of user-course relationships. Successful exploitation grants unintended access to course materials, bypasses enrollment controls, and compromises platform integrity.

The vulnerability is fixed in Chamilo LMS version 2.0.0-RC.3. Mitigation involves updating to this release or later, as detailed in the GitHub security advisory (GHSA-x373-8j9j-g5pj) and the associated commit fixes and release notes.

EU & UK References

Vulnerability details

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any…

more

arbitrary user into any course without proper authorization checks. The backend trusts the user-supplied input for the user field and performs no server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This enables unauthorized manipulation of user-course relationships, potentially granting unintended access to course materials, bypassing enrollment controls, and compromising platform integrity. This issue has been fixed in version 2.0.0-RC.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The IDOR vulnerability allows an authenticated low-privileged attacker to bypass authorization checks and perform unauthorized modifications to user-course enrollments, directly enabling exploitation for privilege escalation by granting access and actions beyond intended permissions.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32930Same product: Chamilo Chamilo Lms
CVE-2026-33702Same product: Chamilo Chamilo Lms
CVE-2026-33706Same product: Chamilo Chamilo Lms
CVE-2026-32894Same product: Chamilo Chamilo Lms
CVE-2026-40291Same product: Chamilo Chamilo Lms
CVE-2025-52469Same product: Chamilo Chamilo Lms
CVE-2026-32931Same product: Chamilo Chamilo Lms
CVE-2026-33714Same product: Chamilo Chamilo Lms
CVE-2025-50188Same product: Chamilo Chamilo Lms
CVE-2025-50193Same product: Chamilo Chamilo Lms

Affected Assets

chamilo
chamilo lms
2.0.0 · ≤ 1.11.38

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to resources, directly preventing IDOR by requiring server-side verification of permissions before modifying user-course relationships.

prevent

Mandates determining and authorizing access to specific system resources like user-course enrollments prior to operation execution, mitigating the lack of server-side checks in the vulnerable endpoint.

prevent

Applies least privilege to restrict low-privileged authenticated users from performing unauthorized actions on arbitrary user IDs, limiting IDOR exploitation scope.

References