CVE-2026-40291
Published: 14 April 2026
Summary
CVE-2026-40291 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent authenticated users from modifying sensitive user attributes like roles via API endpoints.
Implements least privilege to restrict users from escalating their own roles, directly countering improper privilege management.
Manages user accounts and role assignments to prohibit unauthorized self-modification of privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly allows authenticated users to modify their own roles field via the API endpoint, enabling privilege escalation to admin (T1068) through unauthorized account role/group changes (T1098.007).
NVD Description
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles…
more
field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3.
Deeper analysisAI
CVE-2026-40291 is an insecure direct object modification vulnerability affecting Chamilo LMS, an open-source learning management system, in versions prior to 2.0.0-RC.3. The issue resides in the PUT /api/users/{id} endpoint, where the API Platform security expression is_granted('EDIT', object) only checks record ownership, while the roles field is included in the writable serialization group. This allows authenticated users to modify their own user record's roles field arbitrarily. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 269 (Improper Privilege Management) and 863 (Incorrect Authorization).
Any authenticated user with ROLE_STUDENT privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a PUT request to /api/users/{id} with their own user ID and setting the roles field to include ROLE_ADMIN, the attacker escalates their privileges. Successful exploitation grants full administrative control of the Chamilo LMS platform, enabling access to all courses, user data, grades, and administrative settings.
The vulnerability has been fixed in Chamilo LMS version 2.0.0-RC.3, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to this version or later to mitigate the issue, and review API endpoint authorizations in similar API Platform implementations. Relevant details are available at https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3 and https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x.
Details
- CWE(s)