CVE-2026-32894: Chamilo LMS Auth Bypass Vulnerability

CVE-2026-32894 Overview

CVE-2026-32894 is an Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS, a widely-used open-source learning management system. The flaw exists in the gradebook result view page, where any authenticated teacher can delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. The vulnerability stems from missing ownership and course-scope verification in the gradebook operations, allowing unauthorized modification of academic records.

Critical Impact
Any authenticated teacher can delete grade results for students in any course across the platform, potentially causing significant academic data integrity issues and disrupting educational records.

Affected Products

Chamilo LMS versions prior to 1.11.38
Chamilo LMS versions prior to 2.0.0-RC.3

Discovery Timeline

2026-04-10 - CVE-2026-32894 published to NVD
2026-04-13 - Last updated in NVD database

Technical Details for CVE-2026-32894

Vulnerability Analysis

This Insecure Direct Object Reference vulnerability allows authenticated users with teacher privileges to bypass authorization controls in the gradebook module. The core issue lies in the gradebook_view_result.php file, where the application accepts user-supplied result IDs via GET parameters without validating that the requesting teacher has ownership or is associated with the course containing the targeted grade result.

When a teacher accesses the gradebook result deletion functionality, the application retrieves the result based solely on the ID provided in the delete_mark parameter. Prior to the fix, no verification was performed to ensure the result belonged to an evaluation within the teacher's scope. This allows a malicious teacher to iterate through result IDs or target specific students' grades in courses they have no legitimate access to.

Root Cause

The vulnerability originates from insufficient authorization checks in the Result::load() function and its calling code in gradebook_view_result.php. The application trusted user-supplied input ($_GET['delete_mark']) to identify which grade result to delete without verifying that the result's associated evaluation ID (evaluation_id) matched the current evaluation context ($select_eval). This missing validation created a direct object reference that attackers could manipulate to access unauthorized resources.

Attack Vector

An authenticated attacker with teacher privileges can exploit this vulnerability through a simple HTTP GET request. The attack requires:

Valid teacher authentication to the Chamilo LMS platform
Knowledge or enumeration of result IDs (which may be sequential integers)
Crafting a malicious URL with a manipulated delete_mark parameter pointing to a victim's grade result

The attack can be performed through the browser by modifying URL parameters, making it trivially exploitable without specialized tools.

php

// Vulnerable code - gradebook_view_result.php (before patch)
// No validation that the result belongs to the current evaluation context
if (isset($_GET['delete_mark'])) {
    $result = Result::load($_GET['delete_mark']);
    if (!empty($result[0])) {
        $result[0]->delete();  // Deletes any result without authorization check
    }
}

Source: GitHub Commit

The patched code adds evaluation ID validation:

php

// Patched code - validates evaluation ownership
if (isset($_GET['delete_mark'])) {
    $result = Result::load($_GET['delete_mark']);
    if (!empty($result[0]) && $result[0]->get_evaluation_id() == $select_eval) {
        $result[0]->delete();
    }
}

Source: GitHub Commit

Detection Methods for CVE-2026-32894

Indicators of Compromise

Unusual patterns of grade deletions across multiple courses by a single teacher account
HTTP access logs showing requests to gradebook_view_result.php with sequential or anomalous delete_mark parameter values
Grade deletion activity for courses where the authenticated teacher is not enrolled or assigned
Spike in gradebook modification events in application audit logs

Detection Strategies

Monitor web server access logs for requests to /main/gradebook/gradebook_view_result.php containing delete_mark or resultdelete parameters
Implement alerting for grade deletion operations where the teacher's course enrollment doesn't match the affected student's course
Review database audit trails for mass deletion patterns in the gradebook_result table
Cross-reference teacher session activity with courses they legitimately teach

Monitoring Recommendations

Enable verbose logging for gradebook operations in Chamilo LMS configuration
Implement database triggers or application-level auditing for grade result modifications
Configure web application firewall (WAF) rules to flag suspicious parameter manipulation patterns
Set up alerts for teachers accessing grade results outside their assigned courses

How to Mitigate CVE-2026-32894

Immediate Actions Required

Upgrade Chamilo LMS to version 1.11.38 or later (for 1.x installations)
Upgrade Chamilo LMS to version 2.0.0-RC.3 or later (for 2.x installations)
Review gradebook audit logs for any unauthorized grade deletions that may have occurred
Implement additional access controls at the web server level until patching is complete

Patch Information

The vulnerability has been addressed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3. The fix adds validation to ensure that the result being deleted belongs to the current evaluation context by checking $result[0]->get_evaluation_id() == $select_eval before allowing the deletion operation. Security patches are available via the following commits:

For additional details, see the GitHub Security Advisory.

Workarounds

Restrict access to the gradebook module through web server configuration until patching is possible
Implement additional authentication requirements for grade modification actions
Temporarily disable the grade deletion functionality via .htaccess or nginx location blocks
Apply manual patching by adding the evaluation ID check as shown in the security commits

bash

# Temporary Apache .htaccess restriction for gradebook module
# Place in /main/gradebook/ directory
<Files "gradebook_view_result.php">
    # Restrict to specific trusted IP addresses until patched
    Require ip 192.168.1.0/24
    # Or disable the delete functionality entirely
    # RewriteEngine On
    # RewriteCond %{QUERY_STRING} delete_mark
    # RewriteRule .* - [F,L]
</Files>

CVE-2026-32894 Overview

Critical Impact
Any authenticated teacher can delete grade results for students in any course across the platform, potentially causing significant academic data integrity issues and disrupting educational records.

Affected Products

Chamilo LMS versions prior to 1.11.38
Chamilo LMS versions prior to 2.0.0-RC.3

Discovery Timeline

2026-04-10 - CVE-2026-32894 published to NVD
2026-04-13 - Last updated in NVD database

Technical Details for CVE-2026-32894

Vulnerability Analysis

Root Cause

Attack Vector

An authenticated attacker with teacher privileges can exploit this vulnerability through a simple HTTP GET request. The attack requires:

Valid teacher authentication to the Chamilo LMS platform
Knowledge or enumeration of result IDs (which may be sequential integers)
Crafting a malicious URL with a manipulated delete_mark parameter pointing to a victim's grade result

The attack can be performed through the browser by modifying URL parameters, making it trivially exploitable without specialized tools.

php

// Vulnerable code - gradebook_view_result.php (before patch)
// No validation that the result belongs to the current evaluation context
if (isset($_GET['delete_mark'])) {
    $result = Result::load($_GET['delete_mark']);
    if (!empty($result[0])) {
        $result[0]->delete();  // Deletes any result without authorization check
    }
}

Source: GitHub Commit

The patched code adds evaluation ID validation:

php

// Patched code - validates evaluation ownership
if (isset($_GET['delete_mark'])) {
    $result = Result::load($_GET['delete_mark']);
    if (!empty($result[0]) && $result[0]->get_evaluation_id() == $select_eval) {
        $result[0]->delete();
    }
}

Source: GitHub Commit

Detection Methods for CVE-2026-32894

Indicators of Compromise

Unusual patterns of grade deletions across multiple courses by a single teacher account
HTTP access logs showing requests to gradebook_view_result.php with sequential or anomalous delete_mark parameter values
Grade deletion activity for courses where the authenticated teacher is not enrolled or assigned
Spike in gradebook modification events in application audit logs

Detection Strategies

Monitor web server access logs for requests to /main/gradebook/gradebook_view_result.php containing delete_mark or resultdelete parameters
Implement alerting for grade deletion operations where the teacher's course enrollment doesn't match the affected student's course
Review database audit trails for mass deletion patterns in the gradebook_result table
Cross-reference teacher session activity with courses they legitimately teach

Monitoring Recommendations

Enable verbose logging for gradebook operations in Chamilo LMS configuration
Implement database triggers or application-level auditing for grade result modifications
Configure web application firewall (WAF) rules to flag suspicious parameter manipulation patterns
Set up alerts for teachers accessing grade results outside their assigned courses

How to Mitigate CVE-2026-32894

Immediate Actions Required

Upgrade Chamilo LMS to version 1.11.38 or later (for 1.x installations)
Upgrade Chamilo LMS to version 2.0.0-RC.3 or later (for 2.x installations)
Review gradebook audit logs for any unauthorized grade deletions that may have occurred
Implement additional access controls at the web server level until patching is complete

Patch Information

For additional details, see the GitHub Security Advisory.

Workarounds

Restrict access to the gradebook module through web server configuration until patching is possible
Implement additional authentication requirements for grade modification actions
Temporarily disable the grade deletion functionality via .htaccess or nginx location blocks
Apply manual patching by adding the evaluation ID check as shown in the security commits

bash

# Temporary Apache .htaccess restriction for gradebook module
# Place in /main/gradebook/ directory
<Files "gradebook_view_result.php">
    # Restrict to specific trusted IP addresses until patched
    Require ip 192.168.1.0/24
    # Or disable the delete functionality entirely
    # RewriteEngine On
    # RewriteCond %{QUERY_STRING} delete_mark
    # RewriteRule .* - [F,L]
</Files>

CVE-2026-32894: Chamilo LMS Auth Bypass Vulnerability

CVE-2026-32894 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-32894

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-32894

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-32894

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-32894: Chamilo LMS Auth Bypass Vulnerability

CVE-2026-32894 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-32894

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-32894

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-32894

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform