CVE-2026-31940 Overview
CVE-2026-31940 is a session fixation vulnerability affecting Chamilo LMS, a widely-used open-source learning management system. The vulnerability exists in the main/lp/aicc_hacp.php file where user-controlled request parameters are directly used to set the PHP session ID before the global bootstrap is loaded. This improper session management allows attackers to fixate a victim's session, potentially leading to account takeover and unauthorized access to sensitive educational data.
Critical Impact
Attackers can exploit this session fixation vulnerability to hijack authenticated user sessions, potentially gaining unauthorized access to student records, course materials, and administrative functions within the Chamilo LMS platform.
Affected Products
- Chamilo LMS versions prior to 1.11.38
- Chamilo LMS 2.x versions prior to 2.0.0-RC.3
Discovery Timeline
- April 10, 2026 - CVE-2026-31940 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31940
Vulnerability Analysis
This session fixation vulnerability (CWE-384) occurs in the AICC (Aviation Industry Computer-Based Training Committee) HACP (HTTP-based AICC Communication Protocol) implementation within Chamilo LMS. The vulnerable code path in main/lp/aicc_hacp.php accepts user-supplied input to directly set the PHP session identifier without proper validation or sanitization. Because this occurs before the global bootstrap loads, standard security controls are bypassed.
Session fixation attacks allow an adversary to force a known session identifier onto a victim. When the victim subsequently authenticates, the attacker can use the pre-established session ID to access the authenticated session. In the context of an LMS, this could expose student grades, personal information, course content, and potentially administrative functionality depending on the compromised account's privileges.
Root Cause
The root cause is improper session management where user-controlled request parameters are used to set the PHP session ID before security bootstrapping occurs. The AICC HACP protocol implementation trusts external input for session identification without regenerating session IDs upon authentication, enabling session fixation attacks.
Attack Vector
The attack is network-based and requires user interaction. An attacker can craft a malicious URL containing a predetermined session identifier and trick a victim into clicking it. When the victim authenticates to Chamilo LMS, the attacker can then use the same session ID to hijack the authenticated session. The attack complexity is high due to the need for social engineering and timing, but successful exploitation results in complete compromise of the victim's session with full read and write access to their account data.
The patches provided by Chamilo completely deprecate and disable AICC support functionality, removing the vulnerable code path entirely:
// Security patch in main/inc/lib/UnserializeApi.php - LP: Deprecate and disable AICC support functionality
[
learnpath::class,
learnpathItem::class,
- aicc::class,
- aiccBlock::class,
- aiccItem::class,
- aiccObjective::class,
- aiccResource::class,
+ //aicc::class,
+ //aiccBlock::class,
+ //aiccItem::class,
+ //aiccObjective::class,
+ //aiccResource::class,
scorm::class,
scormItem::class,
scormMetadata::class,
Source: GitHub Commit
Detection Methods for CVE-2026-31940
Indicators of Compromise
- Unusual requests to main/lp/aicc_hacp.php containing session ID parameters in query strings
- Multiple sessions from different IP addresses sharing the same session identifier
- Anomalous authentication patterns where session IDs exist before user login events
- HTTP requests with externally-supplied PHPSESSID or similar session parameters targeting AICC endpoints
Detection Strategies
- Monitor web server access logs for requests to /main/lp/aicc_hacp.php with suspicious session-related parameters
- Implement web application firewall (WAF) rules to detect session ID injection attempts in URL parameters
- Enable PHP session logging and analyze for session fixation patterns where session creation and authentication occur from different source IPs
- Deploy intrusion detection signatures for AICC HACP protocol abuse targeting Chamilo installations
Monitoring Recommendations
- Configure real-time alerting for access attempts to deprecated AICC endpoints after patching
- Implement session management monitoring to detect sessions that persist across multiple authentication events without regeneration
- Review authentication logs for patterns indicating session hijacking following suspicious AICC endpoint activity
How to Mitigate CVE-2026-31940
Immediate Actions Required
- Upgrade Chamilo LMS to version 1.11.38 or later for the 1.x branch
- Upgrade Chamilo LMS to version 2.0.0-RC.3 or later for the 2.x branch
- If immediate patching is not possible, restrict or block access to main/lp/aicc_hacp.php at the web server level
- Review session logs for any signs of prior exploitation
Patch Information
Security patches are available through the official Chamilo GitHub repository. The fix completely deprecates and disables AICC support functionality, eliminating the vulnerable code path. Two commits address this vulnerability across both the 1.x and 2.x branches:
For complete details, refer to the GitHub Security Advisory GHSA-4gp7-cfjh-77gv.
Workarounds
- Block access to the vulnerable AICC endpoint at the web server or reverse proxy level if AICC functionality is not required
- Implement strict session management controls including session regeneration on authentication
- Configure PHP to reject externally-supplied session IDs using session.use_strict_mode = 1
# Apache configuration to block vulnerable AICC endpoint
<Location "/main/lp/aicc_hacp.php">
Require all denied
</Location>
# PHP configuration hardening for session management
# Add to php.ini
session.use_strict_mode = 1
session.use_only_cookies = 1
session.cookie_httponly = 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
