{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31940", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T15:10:10.655Z", "datePublished": "2026-04-10T17:35:10.661Z", "dateUpdated": "2026-04-14T14:12:28.550Z"}, "containers": {"cna": {"title": "Session Fixation in Chamilo LMS", "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "lang": "en", "description": "CWE-384: Session Fixation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv"}, {"name": "https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9"}, {"name": "https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869"}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"version": "< 1.11.38", "status": "affected"}, {"version": ">= 2.0.0-alpha.1, < 2.0.0-RC.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T17:35:10.661Z"}, "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "source": {"advisory": "GHSA-4gp7-cfjh-77gv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:12:20.377261Z", "id": "CVE-2026-31940", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:12:28.550Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31940", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T14:12:20.377261Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:12:24.534Z"}}], "cna": {"title": "Session Fixation in Chamilo LMS", "source": {"advisory": "GHSA-4gp7-cfjh-77gv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"status": "affected", "version": "< 1.11.38"}, {"status": "affected", "version": ">= 2.0.0-alpha.1, < 2.0.0-RC.3"}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv", "name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9", "name": "https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869", "name": "https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384: Session Fixation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T17:35:10.661Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31940", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:12:28.550Z", "dateReserved": "2026-03-10T15:10:10.655Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T17:35:10.661Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4D0C5D2-6FA0-4532-8E3D-4EA111A50621", "versionEndExcluding": "1.11.38", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "4AF7661F-C1F7-4CAB-BBDF-FC5BF7F5BEB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "FE56AF71-9D53-42C6-980D-09E1C418ED87", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "01195674-9E1A-4C07-B7D3-0F0CC2E6511B", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "BAE63449-5A56-4302-A4BF-F3D19FC96A80", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "A84A06F9-5AB7-4703-8153-33AC68882B95", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "B91302A3-53DE-4ED0-BAAB-FE9DA03F8242", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "46008D4A-96F7-4E04-8256-E115AAAE3383", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "6E2BCAFF-D44B-4E67-998A-DF855E27606B", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "D2E7D018-E4C2-45F5-8D9A-DAC947173607", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "DAF96697-6B6D-459D-9510-E5CEEDC2859B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "id": "CVE-2026-31940", "lastModified": "2026-04-17T21:31:36.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-10T18:16:41.483", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.11.38)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0-alpha.1,2.0.0-RC.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "chamilo-lms", "source": "cna", "vendor": "chamilo"}, "product": "chamilo_lms", "vendor": "chamilo"}], "analysis": {"en": {"generated_at": "2026-04-10T20:24:38.935371+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading Chamilo LMS to version 1.11.38 or higher, or to 2.0.0\u2011RC.3 or higher.", "After upgrading, verify that the aicc_hacp.php file no longer assigns the session ID from user input.", "If an upgrade cannot be performed immediately, block access to the aicc_hacp.php endpoint or disable the affected feature until the patch is applied.", "Monitor audit logs for abnormal session fixation attempts and ensure session cookies have the Secure and HttpOnly flags set."], "summary": {"action": "Patch Now", "impact": "Prevent session hijack"}, "threat_synthesis": {"affected_systems": "All deployments of Chamilo LMS running a version earlier than 1.11.38 or 2.0.0\u2011RC.3 are vulnerable. The flaw resides in the public\u2011facing aicc_hacp.php endpoint. Any installation that has not applied the recent patch remains at risk.", "description_and_impact": "Chamilo LMS, a learning management system, contains a session fixation flaw in the file main/lp/aicc_hacp.php. The code accepts user-supplied parameters and assigns them directly to the PHP session ID before the system initializes. This weakness, classified as CWE\u2011384, allows an attacker to set a predetermined session identifier, potentially taking over a legitimate user\u2019s session after the user accesses the vulnerable page.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.5, indicating high severity, and the EPSS score is not available, so the global exploitation probability cannot be quantified. The issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote HTTP request targeting the aicc_hacp.php endpoint where an attacker can supply a chosen session ID. If successful, the attacker would assume the victim\u2019s privileges, compromising confidentiality, integrity, and availability of the LMS and any protected content. This assessment is inferred from the description because the exploit path is not explicitly detailed in the input."}}}}, "created": "2026-04-13T12:43:40.312376+00:00", "updated": "2026-04-13T13:00:03.826610+00:00", "vendors": ["chamilo", "chamilo$PRODUCT$chamilo_lms"]}