CVE-2026-32892: Chamilo LMS RCE Vulnerability

CVE-2026-32892 Overview

CVE-2026-32892 is a critical OS Command Injection vulnerability discovered in Chamilo LMS, a popular open-source learning management system. The vulnerability exists in the file move function within fileManage.lib.php, where the move() function passes user-controlled path values directly into exec() shell commands without proper sanitization using escapeshellarg().

When a user moves a document via document.php, the move_to POST parameter passes through only Security::remove_XSS(), which is an HTML-only filter insufficient to prevent shell metacharacter injection. The unsanitized input is concatenated directly into shell commands such as exec("mv $source $target"), enabling arbitrary command execution.

Critical Impact

Any authenticated user can achieve arbitrary command execution as the web server user (www-data) by exploiting the Course Backup Import feature to create directories with shell metacharacters, then moving documents into those directories.

Affected Products

• Chamilo LMS versions prior to 1.11.38
• Chamilo LMS versions prior to 2.0.0-RC.3

Discovery Timeline

• 2026-04-10 - CVE-2026-32892 published to NVD
• 2026-04-13 - Last updated in NVD database

Technical Details for CVE-2026-32892

Vulnerability Analysis

This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The attack can be executed over the network without user interaction, and successful exploitation results in arbitrary command execution with the privileges of the web server user.

By default, Chamilo LMS enables all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course—including self-created courses—can move documents, significantly lowering the barrier to exploitation. The attacker must first place a directory containing shell metacharacters in its name on the filesystem, which is achievable through the Course Backup Import functionality, then move a document into that directory to trigger the command injection.

Root Cause

The root cause is the absence of proper shell argument escaping in the move() function within fileManage.lib.php. The Security::remove_XSS() function only filters HTML-related attack vectors and does not sanitize shell metacharacters such as backticks, semicolons, pipes, or command substitution syntax like $(command). When these unsanitized path values are concatenated directly into shell commands, attackers can inject arbitrary commands.

Attack Vector

The attack vector involves a multi-step exploitation process:

1. The attacker authenticates to Chamilo LMS (any authenticated user can exploit this)
2. Creates a course or accesses an existing course where they have teacher privileges
3. Uses the Course Backup Import feature to create a directory with shell metacharacters in its name (e.g., test; whoami #)
4. Moves a document via document.php into the malicious directory
5. The move_to POST parameter containing shell metacharacters is passed to exec() without proper escaping
6. Arbitrary commands execute as the www-data web server user

The following patch from the security fix demonstrates how the vulnerability was addressed:

                fclose($handle);
                break;
            case 'application/pdf':
-                exec("pdftotext $doc_path -", $output, $ret_val);
+                exec("pdftotext ".escapeshellarg($doc_path)." -", $output, $ret_val);
                break;
            case 'application/postscript':
                $temp_file = tempnam(sys_get_temp_dir(), 'chamilo');
-                exec("ps2pdf $doc_path $temp_file", $output, $ret_val);
+                exec("ps2pdf ".escapeshellarg($doc_path)." ".escapeshellarg($temp_file), $output, $ret_val);
                if ($ret_val !== 0) { // shell fail, probably 127 (command not found)
                    return false;
                }
-                exec("pdftotext $temp_file -", $output, $ret_val);
+                exec("pdftotext ".escapeshellarg($temp_file)." -", $output, $ret_val);
                unlink($temp_file);
                break;
            case 'application/msword':
-                exec("catdoc $doc_path", $output, $ret_val);
+                exec("catdoc ".escapeshellarg($doc_path), $output, $ret_val);
                break;
            case 'text/html':
-                exec("html2text $doc_path", $output, $ret_val);
+                exec("html2text ".escapeshellarg($doc_path), $output, $ret_val);
                break;
            case 'text/rtf':
                // Note: correct handling of code pages in unrtf
                // on debian lenny unrtf v0.19.2 can not, but unrtf v0.20.5 can
-                exec("unrtf --text $doc_path", $output, $ret_val);
+                exec("unrtf --text ".escapeshellarg($doc_path), $output, $ret_val);

Source: GitHub Commit Update

Detection Methods for CVE-2026-32892

Indicators of Compromise

• Unusual web server process spawning child processes such as sh, bash, or unexpected system utilities
• Directory names containing shell metacharacters (;, |, $(), backticks) in Chamilo course document paths
• Web server logs showing suspicious move_to POST parameters with encoded or raw shell metacharacters
• Unexpected file modifications or new files created by the www-data user outside normal web directories

Detection Strategies

• Monitor web server logs for POST requests to document.php containing shell metacharacters in the move_to parameter
• Implement file integrity monitoring on Chamilo installation directories to detect unauthorized modifications
• Deploy web application firewall (WAF) rules to detect and block OS command injection patterns in POST data
• Audit process execution logs for the web server user executing unexpected shell commands

Monitoring Recommendations

• Enable detailed logging for PHP exec(), shell_exec(), system(), and passthru() function calls
• Configure alerts for the www-data user spawning interactive shells or running reconnaissance commands
• Monitor for Course Backup Import operations creating directories with special characters
• Implement network-level monitoring for potential data exfiltration following successful exploitation

How to Mitigate CVE-2026-32892

Immediate Actions Required

• Upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 immediately
• If immediate patching is not possible, restrict course creation permissions by setting allow_users_to_create_courses = false
• Disable the Course Backup Import feature until the patch can be applied
• Audit existing course directories for suspicious directory names containing shell metacharacters

Patch Information

Chamilo has released security patches that address this vulnerability by implementing proper shell argument escaping using escapeshellarg() for all user-controlled inputs passed to shell commands. The fixes are available in versions 1.11.38 and 2.0.0-RC.3.

For detailed information about the security fix, refer to:

• GitHub Security Advisory GHSA-59cv-qh65-vvrr
• GitHub Commit Fix
• GitHub Commit Update

Workarounds

• Disable the document move functionality by modifying document.php to reject move operations
• Implement a reverse proxy or WAF rule to block POST requests containing shell metacharacters to document.php
• Restrict teacher-level access to trusted users only until the patch is applied
• Set restrictive file system permissions on course document directories

# Configuration example - Disable user course creation in Chamilo
# Edit app/config/configuration.php
$_configuration['allow_users_to_create_courses'] = false;

# Restrict permissions on course directories
chmod -R 750 /var/www/chamilo/app/courses/
chown -R www-data:www-data /var/www/chamilo/app/courses/