Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32894

CVE-2026-32894: Chamilo LMS Auth Bypass Vulnerability

CVE-2026-32894 is an authentication bypass flaw in Chamilo LMS that allows authenticated teachers to delete any student's grade across the platform via IDOR. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-32894 Overview

CVE-2026-32894 is an Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS, a widely-used open-source learning management system. The flaw exists in the gradebook result view page, where any authenticated teacher can delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. The vulnerability stems from missing ownership and course-scope verification in the gradebook operations, allowing unauthorized modification of academic records.

Critical Impact

Any authenticated teacher can delete grade results for students in any course across the platform, potentially causing significant academic data integrity issues and disrupting educational records.

Affected Products

  • Chamilo LMS versions prior to 1.11.38
  • Chamilo LMS versions prior to 2.0.0-RC.3

Discovery Timeline

  • 2026-04-10 - CVE-2026-32894 published to NVD
  • 2026-04-13 - Last updated in NVD database

Technical Details for CVE-2026-32894

Vulnerability Analysis

This Insecure Direct Object Reference vulnerability allows authenticated users with teacher privileges to bypass authorization controls in the gradebook module. The core issue lies in the gradebook_view_result.php file, where the application accepts user-supplied result IDs via GET parameters without validating that the requesting teacher has ownership or is associated with the course containing the targeted grade result.

When a teacher accesses the gradebook result deletion functionality, the application retrieves the result based solely on the ID provided in the delete_mark parameter. Prior to the fix, no verification was performed to ensure the result belonged to an evaluation within the teacher's scope. This allows a malicious teacher to iterate through result IDs or target specific students' grades in courses they have no legitimate access to.

Root Cause

The vulnerability originates from insufficient authorization checks in the Result::load() function and its calling code in gradebook_view_result.php. The application trusted user-supplied input ($_GET['delete_mark']) to identify which grade result to delete without verifying that the result's associated evaluation ID (evaluation_id) matched the current evaluation context ($select_eval). This missing validation created a direct object reference that attackers could manipulate to access unauthorized resources.

Attack Vector

An authenticated attacker with teacher privileges can exploit this vulnerability through a simple HTTP GET request. The attack requires:

  1. Valid teacher authentication to the Chamilo LMS platform
  2. Knowledge or enumeration of result IDs (which may be sequential integers)
  3. Crafting a malicious URL with a manipulated delete_mark parameter pointing to a victim's grade result

The attack can be performed through the browser by modifying URL parameters, making it trivially exploitable without specialized tools.

php
// Vulnerable code - gradebook_view_result.php (before patch)
// No validation that the result belongs to the current evaluation context
if (isset($_GET['delete_mark'])) {
    $result = Result::load($_GET['delete_mark']);
    if (!empty($result[0])) {
        $result[0]->delete();  // Deletes any result without authorization check
    }
}

Source: GitHub Commit

The patched code adds evaluation ID validation:

php
// Patched code - validates evaluation ownership
if (isset($_GET['delete_mark'])) {
    $result = Result::load($_GET['delete_mark']);
    if (!empty($result[0]) && $result[0]->get_evaluation_id() == $select_eval) {
        $result[0]->delete();
    }
}

Source: GitHub Commit

Detection Methods for CVE-2026-32894

Indicators of Compromise

  • Unusual patterns of grade deletions across multiple courses by a single teacher account
  • HTTP access logs showing requests to gradebook_view_result.php with sequential or anomalous delete_mark parameter values
  • Grade deletion activity for courses where the authenticated teacher is not enrolled or assigned
  • Spike in gradebook modification events in application audit logs

Detection Strategies

  • Monitor web server access logs for requests to /main/gradebook/gradebook_view_result.php containing delete_mark or resultdelete parameters
  • Implement alerting for grade deletion operations where the teacher's course enrollment doesn't match the affected student's course
  • Review database audit trails for mass deletion patterns in the gradebook_result table
  • Cross-reference teacher session activity with courses they legitimately teach

Monitoring Recommendations

  • Enable verbose logging for gradebook operations in Chamilo LMS configuration
  • Implement database triggers or application-level auditing for grade result modifications
  • Configure web application firewall (WAF) rules to flag suspicious parameter manipulation patterns
  • Set up alerts for teachers accessing grade results outside their assigned courses

How to Mitigate CVE-2026-32894

Immediate Actions Required

  • Upgrade Chamilo LMS to version 1.11.38 or later (for 1.x installations)
  • Upgrade Chamilo LMS to version 2.0.0-RC.3 or later (for 2.x installations)
  • Review gradebook audit logs for any unauthorized grade deletions that may have occurred
  • Implement additional access controls at the web server level until patching is complete

Patch Information

The vulnerability has been addressed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3. The fix adds validation to ensure that the result being deleted belongs to the current evaluation context by checking $result[0]->get_evaluation_id() == $select_eval before allowing the deletion operation. Security patches are available via the following commits:

For additional details, see the GitHub Security Advisory.

Workarounds

  • Restrict access to the gradebook module through web server configuration until patching is possible
  • Implement additional authentication requirements for grade modification actions
  • Temporarily disable the grade deletion functionality via .htaccess or nginx location blocks
  • Apply manual patching by adding the evaluation ID check as shown in the security commits
bash
# Temporary Apache .htaccess restriction for gradebook module
# Place in /main/gradebook/ directory
<Files "gradebook_view_result.php">
    # Restrict to specific trusted IP addresses until patched
    Require ip 192.168.1.0/24
    # Or disable the delete functionality entirely
    # RewriteEngine On
    # RewriteCond %{QUERY_STRING} delete_mark
    # RewriteRule .* - [F,L]
</Files>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.