{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33702", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:06:05.746Z", "datePublished": "2026-04-10T18:15:49.964Z", "dateUpdated": "2026-04-13T15:36:13.742Z"}, "containers": {"cna": {"title": "Chamilo LMS has an Insecure Direct Object Reference (IDOR)", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654"}, {"name": "https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f"}, {"name": "https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551"}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"version": "< 1.11.38", "status": "affected"}, {"version": ">= 2.0.0-alpha.1, < 2.0.0-RC.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T18:15:49.964Z"}, "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress \u2014 including score, status, completion, and time \u2014 without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "source": {"advisory": "GHSA-3rv7-9fhx-j654", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:28:28.539478Z", "id": "CVE-2026-33702", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:36:13.742Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33702", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:28:28.539478Z"}}}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:24:10.856Z"}}], "cna": {"title": "Chamilo LMS has an Insecure Direct Object Reference (IDOR)", "source": {"advisory": "GHSA-3rv7-9fhx-j654", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"status": "affected", "version": "< 1.11.38"}, {"status": "affected", "version": ">= 2.0.0-alpha.1, < 2.0.0-RC.3"}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654", "name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f", "name": "https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551", "name": "https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress \u2014 including score, status, completion, and time \u2014 without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T18:15:49.964Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33702", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:36:13.742Z", "dateReserved": "2026-03-23T17:06:05.746Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T18:15:49.964Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4D0C5D2-6FA0-4532-8E3D-4EA111A50621", "versionEndExcluding": "1.11.38", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "4AF7661F-C1F7-4CAB-BBDF-FC5BF7F5BEB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "FE56AF71-9D53-42C6-980D-09E1C418ED87", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "01195674-9E1A-4C07-B7D3-0F0CC2E6511B", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "BAE63449-5A56-4302-A4BF-F3D19FC96A80", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "A84A06F9-5AB7-4703-8153-33AC68882B95", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "B91302A3-53DE-4ED0-BAAB-FE9DA03F8242", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "46008D4A-96F7-4E04-8256-E115AAAE3383", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "6E2BCAFF-D44B-4E67-998A-DF855E27606B", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "D2E7D018-E4C2-45F5-8D9A-DAC947173607", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "DAF96697-6B6D-459D-9510-E5CEEDC2859B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress \u2014 including score, status, completion, and time \u2014 without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "id": "CVE-2026-33702", "lastModified": "2026-04-16T18:48:21.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T19:16:23.177", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.11.38)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0-alpha.1,2.0.0-RC.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "chamilo-lms", "source": "cna", "vendor": "chamilo"}, "product": "chamilo_lms", "vendor": "chamilo"}], "analysis": {"en": {"generated_at": "2026-04-10T19:20:56.471624+00:00", "value": {"mitigation_remediation": ["Upgrade Chamilo LMS to version 1.11.38 or later, or 2.0.0\u2011RC.3 or later.", "If an upgrade is not yet possible, review and restrict course enrollee permissions so users cannot invoke the progress\u2011saving endpoint.", "Monitor system logs for anomalous progress\u2011saving requests with mismatched user IDs.", "Notify users that progress data may be unreliable if the system is running an affected version."], "summary": {"action": "Patch Now", "impact": "Data Integrity Compromise"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in Chamilo LMS versions prior to 1.11.38 and 2.0.0\u2011RC.3. Any deployment running an older main branch may be affected; this includes enterprise installations and community builds below those release thresholds.", "description_and_impact": "Chamilo LMS allows an authenticated user to alter another user\u2019s learning path progress data such as score, status, completion, and time. This occurs because the progress\u2011saving endpoint accepts a user ID from the request and applies changes to that ID without validation, exposing an insecure direct object reference. The flaw can lead to deceptive records, misrepresenting a learner\u2019s achievements.", "risk_and_exploitability": "With a CVSS score of 7.1, the risk is considered high. An attacker only needs to be authenticated and enrolled in a course, then modify the uid parameter in an HTTP request to overwrite another user\u2019s progress. Because the exploit does not require elevated privileges or external setup, the attack vector is straightforward, making exploitation likely. The vulnerability is not listed in the CISA KEV catalog and no EPSS score is available, but its moderate severity and straightforward exploitation path warrant immediate attention."}}}}, "created": "2026-04-13T12:43:28.454148+00:00", "updated": "2026-04-13T12:59:48.891516+00:00", "vendors": ["chamilo", "chamilo$PRODUCT$chamilo_lms"]}